I found that even I follow the "vlan subinterfaces and 802.1Q trunking" document to configure the firewall as below, I still cannot ping from the firewall ff01 to the L3 switch xx01's vlan2 IP. Is something wrong with the static route on the firewall or the ASA 5555-X cannot support to connect to a trunk port of a L3 switch 3560G?
ff01 ---- interface GigabitEthernet0/0 no nameif security-level 0 no ip address ! interface GigabitEthernet0/0.1 vlan 1 nameif maint security-level 0 ip address 220.127.116.11 255.255.255.0 ! interface GigabitEthernet0/0.2 vlan 2 nameif to_xx01ssc security-level 0 ip address 192.168.1.250 255.255.255.0 !
When connecting my ASA firewalls to Cisco catalyst switches, I needed:
Also, best practice would be to stay away from vlan 1, which is used by a lot of the Cisco layer 2 port management protocols including CDP. That calls for two changes. First, put a different vlan on firewall interface Gi0/0.1. Second, put a different and otherwise unused vlan as native on the trunked port, so that untagged traffic can't leak between vlan's as it enters and exits trunks. E.g.
>First, put a different vlan on firewall interface Gi0/0.1. >Second, put a different and otherwise unused vlan as native on the trunked port, >so that untagged traffic can't leak between vlan's as it enters and exits trunks. >E.g.switchport trunk native vlan 400 >switchport trunk allowed vlan 1-3,400
The switchport command cannot running on the firewall Are you saying run on the L3 switch?
I search the supportforums and find a similar case to me (although his problem is L2 switch) It said when use the firewall ASA5510-X above (not ASA5505-X, my firewall is 5555-x), when use the vlan subinterface , the same vlan cannot be define on two different physcial port on the firewall.
For my case , I set several vlan with the same vlan number accross all my L3 switch. e.g. vlan 2-5 was set on xx01,yy01,zzs01 and L2 xx11 is vlan 2.
(L2) (L3) (L3) (L3) xx11--->xx01<--->yy01<-->zz01
Due to the vlan subinterface definition , I can only set the left handside's firewall port to vlan 2 and vlan 3 (can't add vlan 4,5). The right handside's fireall port to vlan 4 and vlan 5 (can't add valn 2,3). This bother me because how can the vlan 2 on the L3 xx01 communciate with the the same vlan 2 on L3 yy01? Is that adding static route on the firewall can solve my problem or this is another issue?
Sorry to have been unclear; yes, all of those switchport commands are on the switches, not the firewalls. A key for me was have the switch port set to
switchport mode trunk
Cisco switches can dynamically decide between access mode and trunk mode depending on the far end. In my experience Cisco firewalls don't support that protocol, and the trunk status of the switch port the firewall is connected to has to be set statically.
In general any time you cross a routing point, including firewalls in transparent mode, you change vlan tags. So it's probably a bad idea to have subnets associated with the same vlan tag on both sides of the firewall. If you have to do this, I think you would need to use non-trunked access-mode switchports, where the firewall is sending untagged ethernet packets and the switchport is adding whatever tag you want. Your 5555-x firewall probably has 8 ethernet ports, so assuming one trunked port on the outside (say, to switch xx01), and one trunked port on the inside, you could have up to 6 ordinary firewall ports connected multiple access-mode switchports on switch yy01. Those switchports could put back whatever vlan tags you wanted seen on yy01 and zz01.
I found that I only miss the following two lines and I had add it back.
same-security-traffic permit inter-interface :
And after I do some trunk port setting on the L3 switch . Now I can ping from the firewall to the left side L3 xx01 by using vlan 2, I also can ping to the right side L3 yy01 by vlan4. However I can't ping from L3 xx01 to yy01 using vlan 2 or vlan 4 directly. There's a limitation of the vlan subinterface. The same vlan number cannot be coexist on the two different physical firewall port. I also tried to add routing rule on the firewall but didn't success. How can I route between two physical ports within the firewall?
The following configuration is not allowed ========================================== ff01 ---- interface GigabitEthernet0/0 no nameif security-level 0 no ip address ! interface GigabitEthernet0/0.2 vlan 2 nameif to_xx01ssc security-level 0 ip address 192.168.1.250 255.255.255.0 ! interface GigabitEthernet0/1 no nameif security-level 0 no ip address ! interface GigabitEthernet0/1.2 vlan 2 nameif to_yy01ssc security-level 0 ip address 192.168.1.249 255.255.255.0
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :