Re: Sub interface using ASA5510

newzion123 · ‎04-25-2009

Hi,

I have ASA5510 whose INSIDE interface is connected to a Cisco Cat 2960G switch (L2),Now I have 3 VLAN configured in the Cisco2960G,and a TRUNK port is connected to a ASA5510 Inside interface,that inside interface is configured as a TRUNK,which is automatic (802.1q enabled),in this case Is it possible to have the Inter VLAN communication between these 3 VLANs.If so,how to do it,or is there any requirement of L3 switch or router to have this interVLAN communication?

Please clarify my doubts.

Regards,

Newzion123.

Jon Marshall · ‎04-25-2009

Newzion123

Yes the ASA will allow the inter-vlan communication so you don't need an additional L3 switch/router.

First for configuring subinterfaces -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

then you can either

1) give each subinterface a different security level and setup NAT and access-lists as you would with normal physical interfaces

or

2) give the subinterfaces the same security level and then add this to your config -

ASA(config)# same-security-traffic permit inter-interface

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html#wp1039276

Jon

newzion123 · ‎04-26-2009

Ji Jon,

thanks a lot for extending your support,i will try doing the same and let me inform you.

Regards,

newzion.

gbenga-olubisi · ‎04-25-2009

On the ASA5510 inside interface, you need to create subinterface (vlans) and name them (nameif) appropriately. You may assign same security-level to all the subinterfaces; if you do, you will need to config the command "same-security-traffic permit inter-interface" in global configuration. I hope this helps

newzion123 · ‎04-26-2009

Hi,

Thanks ,I will try this....

Regards,

Newzion123

cannan.ilangovan · ‎04-26-2009

inter-vlan routing in PIX/ASA is not working as it is intended to...i believe PIX/ASA have an L3 engine which takes care of this routing stuff (as otherwise, it would not have support for RIP and OSPF in v7.2)...but for some reasons, i am not able to get the box do it...any help from the experts would be greatly appreciated...

i have the following topology

FW1(PIX)---FW2(PIX)

| |

CoreSw1---CoreSw2

| |

\ /

AccessSwitch

/ \

PC1 PC2

the relevant configurations from my PIX is below...PIX1 and PIX2 are in Failover Cluster Mode...no question of NAT as i have disabled it using the Global configuration command "no nat-control"

interface e1

nameif TRUNK

security-level 100

no ip address

interface e1.10

vlan 10

nameif RMS-SD

security-level 100

ip address 10.116.205.130 255.255.255.128

interface e1.80

vlan 80

nameif RMS-DS

security-level 100

ip address 10.116.217.1 255.255.255.0

access-list inbound_in extended permit ip any any

access-list outbound_out extended permit ip any any

access-group inbound_in in RMS-SD

access-group inbound_in in RMS-DS

access-group outbound_out out RMS-SD

access-group outbound_out out RMS-DS

access-group inbound_in in TRUNK

access-group outbound_out out TRUNK

same-security-level permit inter-interface-traffic

same-security-level permit intra-interface-traffic

PC1 Gateway (PIX) : 10.116.205.130

PC1 interface IP : 10.116.205.132

PC2 Gateway (PIX) : 10.116.217.1

PC2 interface IP : 10.116.217.3

I am able to PING the Gateway(PIX) of PC1 from PC1 and the Gateway(PIX) of PC2 from PC2. But I am not able to reach/ping PC2 from PC1 and vice-versa.

cannan.ilangovan · ‎04-27-2009

i was wrong...it indeed was working...i was attempting to ping the gateway IP of PC1 from PC2 and vice-versa which is NOT working though..

but my attempt to ping PC1 from PC2 and vice-vera was successful...

thanks to all experts for their suggestions!!!