Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Is ASA 5555-x support trunk port configuration

Hi,

I use L3 switch 3560G with vLan to connect machines from several sites.

(L2)    (L3)     (L3)    (L3)
xx11--->xx01<--->yy01<-->zz01


e.g.

xx01
----

interface GigabitEthernet0/21
 spanning-tree portfast trunk           <--to yy01
!
interface Vlan1
 ip address 192.169.1.254 255.255.255.0
!
interface Vlan2
 ip address 192.168.1.254 255.255.255.0
!

ip default-gateway 192.169.1.251
ip route 0.0.0.0 0.0.0.0 192.168.1.253

yy01
----

interface GigabitEthernet0/23
 switchport trunk encapsulation dot1q   <--to xx01
 switchport mode trunk
 spanning-tree portfast trunk
!
interface Vlan1
 ip address 192.169.1.253 255.255.255.0
!
interface Vlan2
 ip address 192.168.1.253 255.255.255.0
!
ip default-gateway 192.169.1.252
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip route 0.0.0.0 0.0.0.0 192.168.1.252

Now, I want to add a Firewall (ff01) between xx01 and yy01 for better protection.

(L2)    (L3)    (FW)    (L3)     (L3)
xx11--->xx01<--->ff01<-->yy01<-->zz01

I found that even I follow the "vlan subinterfaces and 802.1Q trunking" document to configure
the firewall as below, I still cannot ping from the firewall ff01 to the L3 switch xx01's vlan2 IP.
Is something wrong with the static route on the firewall or the ASA 5555-X cannot support to
connect to a trunk port of a L3 switch 3560G?

ff01
----
interface GigabitEthernet0/0
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/0.1
 vlan 1
 nameif maint
 security-level 0
 ip address 192.169.1.250 255.255.255.0
!
interface GigabitEthernet0/0.2
 vlan 2
 nameif to_xx01ssc
 security-level 0
 ip address 192.168.1.250 255.255.255.0
!

 

Thanks!!

 

Wayne

5 REPLIES
VIP Purple

I did't look for particular

I did't look for particular mistakes in your config, but there are two typical reasons for the behavior you describe. First make sure that you have the following lines in your ASA-config:

 

same-security-traffic permit inter-interface
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global

 

When connecting my ASA

When connecting my ASA firewalls to Cisco catalyst switches, I needed:

switchport nonegotiate

 

Also, best practice would be to stay away from vlan 1, which is used by a lot of the Cisco layer 2 port management protocols including CDP.   That calls for two changes.  First, put a different vlan on firewall interface Gi0/0.1.  Second, put a different and otherwise unused vlan as native on the trunked port, so that untagged traffic can't leak between vlan's as it enters and exits trunks.  E.g.

switchport trunk native vlan 400

switchport trunk allowed vlan 1-3,400

 

-- Jim Leinweber, WI State Lab of Hygiene
 

New Member

Hi,Thanks for your

Hi,

Thanks for your information.

>First, put a different vlan on firewall interface Gi0/0.1. 
>Second, put a different and otherwise unused vlan as native on the trunked port,
>so that untagged traffic can't leak between vlan's as it enters and exits trunks. 
>E.g.switchport trunk native vlan 400
>switchport trunk allowed vlan 1-3,400

The switchport command cannot running on the firewall
Are you saying run on the L3 switch?


I search the supportforums and find a similar case to me (although his problem is L2 switch)
It said when use the firewall ASA5510-X above (not ASA5505-X, my firewall is 5555-x),
when use the vlan subinterface , the same vlan cannot be define
on two different physcial port on the firewall.

For my case , I set several vlan with the same vlan number accross all my L3 switch.
e.g. vlan 2-5 was set on xx01,yy01,zzs01     and   L2 xx11 is vlan 2.
 

(L2)       (L3)          (L3)    (L3)
xx11--->xx01<--->yy01<-->zz01

Due to the vlan subinterface definition , I can only set the left handside's
firewall port to vlan 2 and vlan 3 (can't add vlan 4,5).
The right handside's fireall port to vlan 4 and vlan 5 (can't add valn 2,3).
This bother me because how can the vlan 2 on the L3 xx01 communciate with the the same vlan 2 on L3 yy01?
Is that adding static route on the firewall can solve my problem or this is another issue?

(L2)    (L3)                          (FW)                        (L3)    (L3)
xx11--->xx01<---------------->ff01<---------------->yy01<-->zz01
                            (vlan 2,3)         (vlan 4,5)

Sorry to have been unclear;

Sorry to have been unclear; yes, all of those switchport commands are on the switches, not the firewalls.  A key for me was have the switch port set to

switchport mode trunk

switchport nonegotiate

Cisco switches can dynamically decide between access mode and trunk mode depending on the far end.  In my experience Cisco firewalls don't support that protocol, and the trunk status of the switch port the firewall is connected to has to be set statically.

 

In general any time you cross a routing point, including firewalls in transparent mode, you change vlan tags.  So it's probably a bad idea to have subnets associated with the same vlan tag on both sides of the firewall.  If you have to do this, I think you would need to use non-trunked access-mode switchports, where the firewall is sending untagged ethernet packets and the switchport is adding whatever tag you want.  Your 5555-x firewall probably has 8 ethernet ports, so assuming one trunked port on the outside (say, to switch xx01), and one trunked port on the inside, you could have up to 6 ordinary firewall ports connected multiple access-mode switchports on switch yy01.  Those switchports could put back whatever vlan tags you wanted seen on yy01 and zz01.

New Member

Hi,I found that I only miss

Hi,

I found that I only miss the following two lines and I had add it back.

same-security-traffic permit inter-interface
:

inspect icmp

And after I do some trunk port setting on the L3 switch .
Now I can ping from the firewall to the left side L3 xx01 by using vlan 2,
I also can ping to the right side L3 yy01 by vlan4.
However I can't ping from L3 xx01 to yy01 using vlan 2 or vlan 4 directly. 
There's a limitation of the vlan subinterface.
The same vlan number cannot be coexist on the two different physical firewall port.
I also tried to add routing rule on the firewall but didn't success.
How can I route between two physical ports within the firewall?
 
The following configuration is not allowed
==========================================
ff01
----
interface GigabitEthernet0/0
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/0.2
 vlan 2
 nameif to_xx01ssc
 security-level 0
 ip address 192.168.1.250 255.255.255.0
!
interface GigabitEthernet0/1
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/1.2
 vlan 2
 nameif to_yy01ssc
 security-level 0
 ip address 192.168.1.249 255.255.255.0

 

867
Views
0
Helpful
5
Replies
CreatePlease to create content