cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
895
Views
0
Helpful
10
Replies

vlan on ASA 55*0

Dan Jagor
Level 1
Level 1

Hi all,

I want to have few vlans on ASA 5520 but so far no luck to make it work.

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.1

mac-address 2222.1000.aaa1

vlan 1

nameif External-001

security-level 0

no ip address

ipv6 address ****:****:*:1000::1/64

ipv6 enable

ipv6 nd suppress-ra

!

interface GigabitEthernet0/0.2

mac-address 2222.2000.aaa1

vlan 2

nameif External-002

security-level 0

no ip address

ipv6 address ****:*****:*:2000::1/64

ipv6 enable

ipv6 nd suppress-ra

!

!

ipv6 route External-001 ::/0 ****:****:4::1

but can't ping the gateway. If is setup up the IP and default route on External-00, it work. Therefore I assume it has got something to do  with trunk and tagging of the frames, but not sure what to actually do about it.

Thank you for your help.

Dan

10 Replies 10

fb_webuser
Level 6
Level 6

try same-security-traffic permit intra-interface command

---

Posted by WebUser Marwan Hassan from Cisco Support Community App

Dan

Can you tell us what is connected to the physical interface of the ASA and share with us how that device is configured?

HTH

Rick

HTH

Rick

Yes, I have 'same-security-traffic permit inter-interface' as well as 'same-security-traffic permit intra-interface' just to see if it helps, not going to use it in the final config.

Thank you

Dan

fb_webuser
Level 6
Level 6

router on a stick ?!! @ switch : switchport trunk encapsulation dot1q !

---

Posted by WebUser Ahmed Serry from Cisco Support Community App

I think switchport is only on ASA 5505, if I'm right

Thank you,

Dan

Dan Jagor
Level 1
Level 1

Hi all,

thank you for the questions.

the 0/0 and 0/1 are external interfaces, the 0/2 and 0/3 internal, each of the will go to different switch with different configs.

I can ping the gateway when I used the 0/0 interface instead of 0/0.1, which is why I think it has got something to do with the trunk...

Thank you all for your time.

Dan

this is the config:

show run

: Saved

:

ASA Version 9.1(2)

!

hostname ***********

domain-name *********.net

enable password ******************* encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ***************** encrypted

names

dns-guard

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.1

mac-address 2222.1000.aaa1

vlan 1

nameif External-001

security-level 0

no ip address

ipv6 address ****:****:4:1000::1/64

ipv6 enable

ipv6 nd suppress-ra

!

interface GigabitEthernet0/0.2

mac-address 2222.2000.aaa1

vlan 2

nameif External-002

security-level 0

no ip address

ipv6 address ****:****:4:2000::1/64

ipv6 enable

ipv6 nd suppress-ra

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.1

shutdown

vlan 11

nameif External-011

security-level 0

no ip address

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

shutdown

mac-address 2222.3000.aaa1

vlan 21

nameif Internal-021

security-level 50

no ip address

ipv6 enable

ipv6 nd reachable-time 1700000

ipv6 nd ns-interval 9000

ipv6 nd ra-interval 201

ipv6 nd ra-lifetime 2000

ipv6 nd dad attempts 20

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.1

shutdown

vlan 31

nameif Internal-031

security-level 50

no ip address

!

interface Management0/0

nameif Management

security-level 100

ip address ***.***.***.**** 255.255.255.252

!

boot system disk0:/asa912-k8.bin

no ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name ********.net

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Management_IN extended permit ip any host ***.***.***.***

pager lines 24

logging enable

logging console notifications

logging buffered notifications

logging asdm notifications

mtu External-002 1500

mtu Management 1500

mtu Internal-021 1500

mtu Internal-031 1500

mtu External-001 1500

mtu External-011 1500

no failover

icmp unreachable rate-limit 100 burst-size 10

icmp permit host ***.***.***.*** Management

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group Management_IN in interface Management

ipv6 icmp permit any echo External-001

ipv6 icmp permit any echo-reply External-001

ipv6 route External-001 ::/0 ****:****:4::1

route Management 0.0.0.0 0.0.0.0 ***.***.***.*** 2

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable 4433

http 0.0.0.0 0.0.0.0 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 1

ssh 0.0.0.0 0.0.0.0 Management

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 1

management-access Management

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

username ********* password ***************** encrypted privilege 15

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method email

Cryptochecksum:

: end

I would investigate the configuration on the switch and ensure that the trunk is up and the correct VLANs are forwarding.

paolo bevilacqua
Hall of Fame
Hall of Fame

Wrong forum, post in "Security - firewalling". You can move your posting using the Actions panel on the right.

fb_webuser
Level 6
Level 6

Dear danjagor001 , inorder to solve this problem you need to create identity NAT for both vlans , meaning to do static nating for example you have vlan 10 and vlan 20 u will do two static nats 1)static (vlan10,vlan20) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 2)static (vlan20,vlan10) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 , please let me know result =) thanks

---

Posted by WebUser Marwan Hassan from Cisco Support Community App

Hello,

thank you for the suggestion, but as all except management interfaces use IPv6, it should not require NAT at all. I've got /29 IPv4 available as well and I'll allocate it later on, but to get the IPv6 working is priority.

Many thanks,

Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: