Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN routing in ASA5510

if this is answer in any earlier post I apologize, how to setup inter VLAN routing on Cisco ASA5510,

I new to cisco ASA5510.

thank you.                  

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

VLAN routing in ASA5510

Hi,

Well you have to make sure all the essential configuration are correct.

  • Make sure hosts are configured with correct network settings
  • Make sure each  L3 device has a route for the required networks
  • Make sure the traffic is allowed on devices that filter traffic
  • Make sure that NAT configurations are correct for the traffic (or as mentioned that there is no NAT being performed)

On the ASA the usual way to test the rules is to use the "packet-tracer" command.

It should tell if there is anything wrong with the ASA configurations.

I can't really say what configurations you need as I dont know your setup or have not seen the current configurations. If the configurations are big then the best way to proceed at the start is to use the "packet-tracer" command to simulate connections going between the hosts that you are testing.

- Jouni

11 REPLIES
Super Bronze

VLAN routing in ASA5510

Hi,

So you want to configure the ASA as the L3 gateway of all the Vlans in your network.

Well essentially you would be configuring the ASA almost the same way as a Cisco Router.

You could choose a single physical interface and configure it as a Trunk interface and connect it to your switch network.

Basic configuration example could be

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

vlan 100

description LAN

nameif LAN

security-level 100

ip address 10.10.10.1 255.255.255.0

interface GigabitEthernet0/0.200

vlan 200

description DMZ

nameif DMZ

security-level 50

ip address 192.168.10.1 255.255.255.0

And so on.

Naturally this only handles the interface configuration and there is naturally other things like NAT and ACL configurations and possible routing configurations depending on your actual setup.

- Jouni

New Member

VLAN routing in ASA5510

thank you Jouni, we have setup our interfaces like this,

interface Ethernet0/0

nameif ext

security-level 0

ip address 168.129.136.16 255.255.255.0

!

interface Ethernet0/1

nameif int

security-level 100

ip address 172.21.191.254 255.255.0.0

!

interface Ethernet0/1.1

description Guest Wifi access

vlan 10

nameif GUEST_WIFI

security-level 1

ip address 172.17.10.1 255.255.255.0

!

interface Ethernet0/1.30

description  VOIP Phone

vlan 30

nameif Voice_LAN

security-level 100

ip address 172.17.30.1 255.255.255.0

do you think we still need to setup e0/0 as trunk?

Super Bronze

VLAN routing in ASA5510

Hi,

Not really, the above configuration I mentioned was just an example on how the Trunk is configured.

You seem to use the actual physical interface also for some network. I guess it might be the network on your default Vlan1?

Usually the actual physical interface if left without any configuration other than related to the speed/duplex/description perhaps. All the subinterface usually act as the gateways for the different Vlans.

- Jouni

New Member

Re: VLAN routing in ASA5510

so my routing statement will look like this?

nat ( voice_LAN.int)172.17.30.0 172.17.30.0

is this right? also I do not want this traffic to go to internet.

Super Bronze

Re: VLAN routing in ASA5510

Hi,

The format of that command doesnt look right.

If you mean the command "nat" then that is used to determine source addresses for Dynamic NAT and Dynamic PAT translations.

If you want to configure Static Identity NAT between different interface then I guess it would be something like this between "int" and "Voice_LAN"

static (int,Voice_LAN) 172.21.0.0 172.21.0.0 netmask 255.255.0.0

This is ofcourse only for the network 172.21.0.0/16. I am not sure if you had some other ranges behind the "int"

The NAT configurations also depend on your software. The above example is for software versions 8.2 and below. Software versions 8.3 and above use a completely different format.

- Jouni

New Member

Re: VLAN routing in ASA5510

so I need only one way static nat? or do I need two way static nat?

Super Bronze

VLAN routing in ASA5510

Hi,

You should only need one "static" command.

But we can't see your NAT setup at the moment or dont know the software version so can't really say anything for sure.

As I said, if you have software version 8.2 or below then the above command will work. If you have 8.3 or above then it wont work as the NAT was completely redone in 8.3 software.

- Jouni

New Member

Re: VLAN routing in ASA5510

software version 8.4 (4) 9          

this is my nat look  like from show run

nat (Voice_LAN,int) source static Voice_LAN Voice_LAN destination static Int_net Int_net

is this right?

Super Bronze

VLAN routing in ASA5510

Hi,

That is for the 8.3+ software levels.

Though in 8.3+ software levels you dont really need to configure NAT between the local network interfaces as it just makes the whole setup more complicated.

Ideally you should NOT have ANY NAT configurations between your local interface. Typically you would only need NAT configurations from your LAN/DMZ interfaces towards the WAN interface of the ASA. Configurations like Dynamic PAT and NAT0 configurations. Its usually simpler to have no NAT configuration at all between the local interfaces.

- Jouni

New Member

Re: VLAN routing in ASA5510

so how I can passed all traffic from Voice_VLAN to Int Interface? cause I have setup all necessary server int this  side. do you think i need to setup access list? 

Super Bronze

VLAN routing in ASA5510

Hi,

Well you have to make sure all the essential configuration are correct.

  • Make sure hosts are configured with correct network settings
  • Make sure each  L3 device has a route for the required networks
  • Make sure the traffic is allowed on devices that filter traffic
  • Make sure that NAT configurations are correct for the traffic (or as mentioned that there is no NAT being performed)

On the ASA the usual way to test the rules is to use the "packet-tracer" command.

It should tell if there is anything wrong with the ASA configurations.

I can't really say what configurations you need as I dont know your setup or have not seen the current configurations. If the configurations are big then the best way to proceed at the start is to use the "packet-tracer" command to simulate connections going between the hosts that you are testing.

- Jouni

166
Views
0
Helpful
11
Replies
CreatePlease login to create content