Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLANs and ASA5515-X

Hi, 

I have created multiple VLANs on Cisco 3750 switch and configured inter-VLAN routing. Cisco ASA 5515-X is internet gateway, should I also create VLANs on ASA and should I made trunk port between firewall and Cisco 3750?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

If you have configured inter

If you have configured inter-VLAN routing on the 3750 switch then there really is no point in creating VLANs on the ASA as you already have no security between the VLANs.  If you remove the inter-VLAN routing and have the ASA do the routing between VLANs then, yes you would need to configure VLANs on the ASA as well as ACLs permitting and denying traffic...as well as NAT for that matter.

So, all you need to do is configure a Layer3 port on the switch and connect it to the ASA and set the default route on the switch to point to the ASA, and you are done.  Well, you will still need to configure NAT on the ASA if you haven't done so already.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
26 REPLIES
VIP Green

If you have configured inter

If you have configured inter-VLAN routing on the 3750 switch then there really is no point in creating VLANs on the ASA as you already have no security between the VLANs.  If you remove the inter-VLAN routing and have the ASA do the routing between VLANs then, yes you would need to configure VLANs on the ASA as well as ACLs permitting and denying traffic...as well as NAT for that matter.

So, all you need to do is configure a Layer3 port on the switch and connect it to the ASA and set the default route on the switch to point to the ASA, and you are done.  Well, you will still need to configure NAT on the ASA if you haven't done so already.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Do I need to configure NAT

Do I need to configure NAT for each VLAN subnet on ASA ? and IP address of inside interface of ASA can be from some VLAN subnet or should be from different subnet? 

If I have two internet gateways then how I will handle default routes on Cisco 3750 switch? 

VIP Green

Each subnet requires a NAT

Each subnet requires a NAT statement that it can be matched to so it can be translated and sent to the internet.  So, depending on your company's security policy you could either do the simple way of matching all traffic on any inside interface and translate it to the outside interface or create more specific statements which can be considered to be a little more secure.

Here is an example of allowing all subnets from any interface and translate it to the outside interface IP.

object network ALL-SUBNETS
  subnet 0.0.0.0 0.0.0.0
  nat (any,outside) dynamic interface

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I have made L3 port with no

I have made L3 port with no switch port command and connect it with ASA inside interface but both directly connected interfaces are unable to ping each other. Is there anything else I need to do either side?

New Member

Its working now..no need to

Its working now..no need to reply

But I have another issue, I am using two internet gateways, Can I use multiple default route on Cisco 3750 switch and Policy based routing?

VIP Green

Not exactly sure what you are

Not exactly sure what you are getting at here.  But I will answer what I think you mean.

You could connect the two ISP gateways to the 3750 and place them in a seperate VLAN (so traffic is seperate from other Local traffic) and have them go directly to the ASA.  Then based on the source IP of traffic leaving the ASA towards the ISP gateways you can configure PBR on the 3750 as you see fit.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I think you did not get my

I think you did not get my question. I have two different internet gateways one from Cisco ASA and one from Router. I have attached diagram for explanation. 

I am having two default routes on Cisco 3750 switch, one go through ASA and one from Router and my question is I want some VLANs go to internet from ASA and some from Router, What configuration is required for it?

VIP Green

In this case you would want

In this case you would want to configure policy based routing (PBR) on the 3750 switch.

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

route-map TRAFFIC-A permit 10
 match ip address 101
 set ip next-hop 1.1.1.2

interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 ip policy route-map TRAFFIC-A

This should be applied to the ingress interface where the source traffic is entering the 3750 switch.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Green

Oops, just noticed you

Oops, just noticed you provided IPs in your diagram.  Anyway, you just need to change the IPs as needed.

-- Please remember to rate and select a correct answer
New Member

I am not getting this command

I am not getting this command at interface level

ip policy route-map

 

I am using following IOS image 

c3750-ipbase-mz.122-35.SE5

 

Do I need to upgrade IOS, Can I upgrade it to IP Services image? My switch model is 

WS-C3750G-24T-S

VIP Green

Is the port you are

Is the port you are configuring it on a L2 port / trunk port?  Then that is why you do not see the command. it is ment for L3 routed ports. Do you have SVIs configured on the switch?  I personally have never tried to configure a PBR on a VLAN interface but you could give it a try and see if traffic is routed as you want.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

It was limitation in IOS, I

It was limitation in IOS, I am having IPbase IOS image whereas this command is available in IP services base image only. 

New Member

Its working but after

Its working but after applying route-maps internet has become very slow. 

I have two default routes, when I omit one default route it works fine for one gateway but with two default routes response is very slow. How to cater this problem? is there any alternative of default routes? 

VIP Green

Well, theoretically if you

Well, theoretically if you remove the default route to the second ISP, the route-map should route route the specified subnet in the matched ACL to the ISP interface.  You could remove the default route that points to the router and then test to see if things are still working as expected.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

It works only with one

It works only with one default route, with two default routes of same metric traffic does not find the right path and two default routes of different metrics only one default route is appeared. Its not possible to implement PBR on Cisco3750 switch. 

VIP Green

and two default routes of

and two default routes of different metrics only one default route is appeared.

This is expected, as when you set default routes with different metrics it is usually that the one with the higher metric will be the backup default route. If you have two default routes with the same metric, traffic will be loadbalanced over the two interfaces.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I think I need two Cisco 3750

I think I need two Cisco 3750 switches one with each gateway. PBR will not be required in this case. 

VIP Green

Do you mean to have the

Do you mean to have the seperate networks connected to its own switch?

Before you do that, I would suggest looking into the price of the IP Services license and compair that with purchasing a 3750X switch...it might be more financially viable getting the license.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

 Yes, separate networks on

 

Yes, separate networks on its own switch and I will make trunk between both switches for Vlans communication, Inter-vlan routing will be distributed on both switches and vlans will go to internet from separate internet gateways. One default route on each switch. Is it possible? I am not implementing policy based routing therefore IP services is not required nor 3750x.

VIP Green

As long as the networks are

As long as the networks are on separate switches you will be fine with what you have described.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I want to filter inter-vlans

I want to filter inter-vlans routing between different vlans using access-lists on Cisco 3750 switch. Please let me know where to apply this access-list? in vlan interface?

  

VIP Green

What access-lists are you

What access-lists are you talking about?

As long as the networks are physically connected to seperate switches and each switch has its own (different) default gateway, the switch that the traffic first enters will determine the default gateway that traffic uses.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I want to filter inter-vlan

I want to filter inter-vlan routing traffic for example I have following Vlans

Vlan 3, Vlan 5, Vlan 10 

Vlan 3:   172.16.5.0/24

Vlan 5:    192.168.50.0/24

Vlan 10:  192.168.100.0/24

Now I want to apply ACL to block vlan 5 and vlan 10 traffic to vlan 3

access-list 101 deny ip 192.168.50.0 0.0.0.255 172.16.5.0 0.0.0.255

access-list 101 deny ip 192.168.100.0 0.0.0.255 172.16.5.0 0.0.0.255

access-list 101 permit ip any any 

interface vlan3 

ip add 172.16.5.1 255.255.255.0 

ip access-group 101 in 

 

Is the above configuration correct?

VIP Green

Your configuration should

Your configuration should work on routed packets. Keep in mind that it will only have affect on routed packets and not on bridged frames.

If your configuration does not give you the desired result try using VLAN ACLs (VACLs)

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swacl.html

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I have a question related to

I have a question related to management VLAN, is it necessary to configure management vlan as native vlan?

VIP Green

The ASA tags VLANs

The ASA tags VLANs individually and therefore does not use the concept of native VLANs.  whichever VLAN you configure as native VLAN on the switch has no effect on how the ASA acts.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
314
Views
0
Helpful
26
Replies