Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Access List help

Hi,

i hav the network like this........

Internet Router----->ASA------>3750

now on 3750 i hav created 5 vlans, ASA will be a part of 1 vlan in 3750, rest 4 vlans will be on LAN.

my requirement is......

all the 4 vlans users in LAN should be accessed based on the rules applied in ASA & not in 3750.

which means all the routing should happen via ASA & not 3750, but VLAN should be created only in 3750..

5 REPLIES
Silver

Re: Access List help

In order for your ASA to do the routing you'll need to create a sub-interfaces off the inside interface. One for each vlan on the switch.

Example:

interface gigabitEthernet0/0

no shut

interface GigabitEthernet0/0.10

description VLan 10

vlan 10

nameif inside10

security-level 100

ip address 192.168.1.10 255.255.255.0

!

interface GigabitEthernet0/0.20

description Vlan 20

vlan 20

nameif inside20

security-level 100

ip address 192.168.1.20 255.255.255.0

interface GigabitEthernet0/0.30

vlan 30

nameif inside30

security-level 100

ip address 192.168.1.30 255.255.255.0

Thanks,

Chad

Please rate if helpful.

Cisco Employee

Re: Access List help

Hi Anand,

Agree with Chad on this. You have to configure a dot1q trunk between 3750 and ASA. Donot create the SVI's on 3750 and set the gateway for the hosts as the sub-interface IP of the ASA for respective vlans.

Please see the document below for more help.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a0080636f42.html#wp1044006

HTH,please rate if it does.

-amit singh

Re: Access List help

Hi Cblem & Amith,

Thanks for ur reply, but i hav PIX Version 6.3(3) running on my Firewall on other side office, so how do i create sub-interface. the interface in pix is like this........ "ip address inside 192.168.1.1 255.255.255.0"

New Member

Re: Access List help

Re: Access List help

can i have something like this for having multiple logical interfaces.

nameif vlan2 inside security50

nameif vlan3 inside security50

nameif vlan4 inside security50

ipaddress inside 192.168.1.1 255.255.255.0

ipaddress inside 192.168.2.1 255.255.255.0

ipaddress inside 192.168.3.1 255.255.255.0

if not, how do i assign a single with multiple ip address for each & every vlan?

how to i connect to the switch, i mean if i put "switch port mode trunk" on the switch side, what command should i need on the PIX "inside" interface? in router the command is "encapsulation dot1Q 1"

126
Views
0
Helpful
5
Replies
CreatePlease login to create content