Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trying to route Vlan traffic from 3560 through ASA 5520

Hey, im trying to route vlan traffic from my 3560 through my 2800 router to my ASA 5520. This Vlan has an IP different from an IP address on a different Vlan. I have two Vlan's setup. 

 

Switch

Vlan 2: 10.1.1.15 /24

Vlan 10: 172.16.10.5 /24

I can route traffic via OSPF through Vlan 2 and hit the internet, but Vlan 10 cant hit the internet. 

 

ASA Config:

 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.103 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.30 255.255.255.0
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif vlan10
 security-level 0
 ip address 172.16.10.10 255.255.255.0
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list inside extended permit ip any any
access-list vlan10 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu vlan10 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (vlan10) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
access-group vlan10 in interface vlan10
!
router ospf 1
 network 10.1.1.0 255.255.255.0 area 0
 network 172.16.10.0 255.255.255.0 area 0
 network 192.168.1.0 255.255.255.0 area 0
 log-adj-changes
 default-information originate always
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.31-10.1.1.99 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 172.16.10.21-172.16.10.50 vlan10
dhcpd dns 8.8.8.8 interface vlan10
dhcpd enable vlan10
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dcdbe42707254b43aa47e147b0c6598a
ciscoasa#

Switch config:

aaa new-model
!
!
!
!
!
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip routing
ip domain-name 
!
!
!
!
crypto pki trustpoint TP-Self-signed
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate
 revocation-check none
 rsakeypair TP-self-signed
!
crypto pki trustpoint TP-self-signed-1338394240
 revocation-check crl
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan 2
!
vlan internal allocation policy ascending
!
vlan 2,10,221
!
!
!
!
interface Loopback0
 ip address 20.20.20.20 255.255.255.0
!
interface FastEthernet0/1
 switchport access vlan 2
 ip access-group Digi in
 spanning-tree bpduguard disable
!
interface FastEthernet0/2
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/3
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/4
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/5
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/6
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/7
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/8
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/9
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/10
 switchport access vlan 7
 spanning-tree bpduguard disable
!
interface FastEthernet0/11
 switchport access vlan 7
 spanning-tree bpduguard disable
!
interface FastEthernet0/12
 switchport access vlan 7
 spanning-tree bpduguard disable
!
interface FastEthernet0/13
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/14
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/15
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/16
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/17
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/18
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/19
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/20
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/21
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/22
 switchport access vlan 2
 spanning-tree bpduguard disable
!
interface FastEthernet0/23
 switchport access vlan 2
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/24
 switchport access vlan 2
 switchport mode access
 spanning-tree bpduguard disable
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 description Network Management VLAN
  ip address 10.1.1.15 255.255.255.0
 
!
interface Vlan7
 no ip address
!
interface Vlan10
 ip address 172.16.10.5 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.1.1.0 0.0.0.255 area 0
 network 172.16.10.0 0.0.255.255 area 0
 
!
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 10.1.1.20
ip http server
ip http secure-server
!
!
ip radius source-interface Vlan7
!
radius-server host 172.x.x.x auth-port 1645 acct-port 1646
radius-server key 7 142402041E102F282C796166
!
banner login ^C
######################################################################
#                               WARNING                              #
#    This network device is private property of                      #
#    Unauthorized access is strictly prohibited and                  #
#    subject to prosecution under international, state, federal      #
#    and local statutes. This device is subject to monitoring.       #
#    If you are unauthorized or do not consent to                    #
#    monitoring of usage disconnect NOW.                             #
#                                                                    #
######################################################################^C

!
end

GA-Test-Switch-3560#

Router config:

hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $
!
no network-clock-participate wic 0
no network-clock-participate wic 1
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
!
!
ip cef
!
!
no ftp-server write-enable
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username 
!
!
controller E1 0/0/0
!
controller E1 0/1/0
!
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.20 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.1.1.0 0.0.0.255 area 0
 network 172.16.10.0 0.0.255.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip ospf name-lookup
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

Router#

Help me please. 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Hello Vince ,

Hello Vince ,

I have some experience with firewalls so will try to answer the query 

Here are two things that I can see , could be worth checking :

 

1)

Wan side port has security level as 0 , lowest 

For Gi0/1 interface ( vlan 2 is connected and reaching internet via this port ) has security-level as 100 , highest . We do not need any policy to reachability from higher to lower security zones in ASA .

But for sub-interface Gi0/1.10 ( Vlan 10 is connected and reaching internet via this port ) i can see security-level as 0 , lowest .

 

And as far as I know , By default interfaces on the same security level cannot communicate with each other . 

anyways if needed below command can achieve it : 

same-security-traffic permit inter-interface

2) another point is why on ASA we have configured vlan 2 ip on physical interface and Vlan 10 ip on sub-interface . I never tested such configuration and was exptecting to see another subinterface for vlan 2 connectivity as well . 

 

Hope to help .

Regards

Sunil Bhadauria

! kindly rate all helpful posts !

 

New Member

Also on the switch I don't

Also on the switch I don't see any ports that are setup to be trunks.

How I've done this in the past is to setup a trunk, set it with a native VLAN that isn't in use anywhere (3100), and then create sub-interfaces for any and all VLANs that need to be tagged to the ASA. This then allows you to also tag VLAN 1 traffic and keep a uniformed configuration.

21 REPLIES

Hey,How does router knows

Hey,

How does router knows about 172.x.x.x subnet?

Regards,

RS.
 

New Member

I would assume through ospf,

I would assume through ospf, but I could be wrong. Do I need to make a sub interface with the 172.16.x.x subnet on the router?

Indeed. Try that out and let

Indeed. Try that out and let us know the result.

HTH.

Regards,
RS.

New Member

Didn't work. I created a sub

Didn't work. I created a sub interface on the router pointing to 172.16.10.x and still nothing. Im doing this in a lab environment using a 4G LTE connection for internet. I can switch Vlan's on the switch port that my laptop is connected to and get out to the internet. What else am I missing? 

Do you have vlan 10 passing

Do you have vlan 10 passing between switch and router?

I hope you are connecting your machine on switch with access vlan 10. Check with command:

#show int trunk

And make sure that vlan 10 is passing from switch to router.

Regards,

RS.

New Member

It should have vlan 10

It should have vlan 10 passing through. I setup the vlan the same way as vlan 2 with the exception of the sub interface on the router. Not too mention the ospf statements on the switch, router and asa. On the router it sees the vlan 10 ip as ospf. Same for the asa. 

Still I suggest running '

Still I suggest running '#show int trunk' command on switch verify; because there could be a possibility of broken broadcast domain.

Regards,

RS.

New Member

I would like to thank all of

I would like to thank all of you that helped me. I finally got it working. At one point I figured by creating a sub-interface with Vlan 10 under the main interface with Vlan 2 would work just fine and pass traffic through to my ASA. Boy was I wrong. I ended up removing the sub-interface and created a new interface under G0/2 pointing to Vlan 10. I then trunked the router port over to my switch as was suggested. On my ASA I added the typical access-lists to get it through. OSPF passes traffic through just fine. Thank you all again. If anyone wants to check out my configs i'll be more than happy to share. Now I have a 7200 VXR router to play with and add to my lab network. 

 

I do have one more question though...In my network I have a switch, ASA and router. Whats the best practice to set it up? Internet-ASA-Router-Switch or Internet-Router-ASA-Switch? 

Also, what if I want to add another Vlan with a different IP? How would I go about setting that up if I run out of ports on my router and ASA? 

Cisco Employee

Hello Vince , Its good to

Hello Vince ,

 

Its good to hear that issue is resolved .

 

Regarding current concern , I would recommend to have ASA interfacing with internet . As we never know what is coming from internet side and may cause resource issues on devices , ASA are built to avoid such issues .

HTH

Regards

Sunil Bhadauria

! kindly rate all helpful posts ! 

New Member

Not sure my edit came through

Not sure my edit came through, but

 

Also, what if I want to add another Vlan with a different IP? How would I go about setting that up if I run out of ports on my router and ASA?

Cisco Employee

Hello Vince , I that case you

Hello Vince ,

 

I that case you may use sub-interfaces on asa and connect this interface to a trunk port ( dot1q).Physical port on ASA act as trunk port and we do not need to configure it separately .

Another solution I can think of is :

however i have never tried but i think it will work , you can try connect this asa port to a router port which can have multiple tagged sub-interfaces ( dot1q). 

 

HTH 

Sunil Bhadauria

! Kindly rate all helpful posts and accordingly make correct to help forum ! 

New Member

I tried that earlier and it

I tried that earlier and it did what I wanted, but it takes away from the ports on the router and switch. On the router im already using both ports to the switch. Would I create a sub-interface on the router under fa0/2? Like fa0/2.xx? I tried that as well and it didnt work. Unless I was missing something. I dunno. I also tried sub-interfaces on the ASA and trunked them to the switch and I do get the trunking back and forth, but it didnt work. 

Cisco Employee

May be you can provide the

May be you can provide the configurations of either side in both scenarios .

Regards

Sunil Bhadauria

New Member

Here's the config for both my

Here's the config for both my router and ASA as they stand right now. If you need the switch config let me know...

 

Router#sh config
Using 1258 out of 245752 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$AjKR$u/X0XfG77hUeiQ5XLMxQp0
!
no network-clock-participate wic 0
no network-clock-participate wic 1
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
!
!
ip cef
!
!
no ftp-server write-enable
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username 
!
!
controller E1 0/0/0
!
controller E1 0/1/0
!
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.1.1.20 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.10.11 255.255.255.0
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 redistribute connected
 network 10.1.1.0 0.0.0.255 area 0
 network 172.16.10.0 0.0.0.255 area 0
 network 172.16.20.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
ip ospf name-lookup
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

Router#

 


ciscoasa# sh config
: Saved
: Written by enable_15 at 15:58:15.319 UTC Wed Oct 1 2014
!
ASA Version 8.0(4)
!
hostname ciscoasa
enable 
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.103 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.30 255.255.255.0
!
interface GigabitEthernet0/2
 nameif vlan10
 security-level 100
 ip address 172.16.10.12 255.255.255.0
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list vlan10 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu vlan10 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (vlan10) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
access-group vlan10 in interface vlan10
!
router ospf 1
 network 10.1.1.0 255.255.255.0 area 0
 network 172.16.10.0 255.255.255.0 area 0
 network 172.16.20.0 255.255.255.0 area 0
 network 192.168.1.0 255.255.255.0 area 0
 log-adj-changes
 default-information originate always
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.41-10.1.1.99 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 172.16.10.50-172.16.10.99 vlan10
dhcpd dns 8.8.8.8 interface vlan10
dhcpd enable vlan10
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cd91a5c7189be1f5227d10cf9b38de80
ciscoasa#

Cisco Employee

Hello Vince , These seems to

Hello Vince ,

 

These seems to be current configs . May be i did not made myself clear enough.

As you say that you tried both of the suggested options for multiple vlan setup and they did not work for you , I asked for those configuration on both end in both scenarios ( which did not worked for you ) .

 

Because at least in case of connecting switch ( trunk ) to ASA subinterfaces it should have worked .

 

Regards

Sunil Bhadauria

New Member

I removed the config because

I removed the config because it hadnt worked. This is what I did...I basically matched fa0/21 to fa0/22 with the exception of vlan 20 rather than vlan 10. I even tried using fa0/22 to trunk the router where I had setup a sub-interface pointing to vlan 20. With that setup I was able to ping to the router using the vlan 20 ip I had setup. I did the same thing to the ASA using a sub-interface pointing to vlan 20. I couldnt ping the ASA with that address. I tried different scenarios, but none worked except for making fa0/21 a switchport on vlan 20. The reason fa0/21 is on vlan 10 is because it works to my ASA and im able to pull DHCP and get to the internet. 

 

interface Vlan20
 ip address 172.16.20.10 255.255.255.0


interface FastEthernet0/21
 switchport access vlan 10
 switchport mode access
 spanning-tree bpduguard disable
!
interface FastEthernet0/22
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 spanning-tree portfast
 spanning-tree bpduguard disable

New Member

Once again I want to thank

Once again I want to thank everyone for their help. After re-reading all the posts I realized what I was doing wrong. I was going at it the wrong way. I created two trunk ports on my switch and they both connect to my router and ASA. I then created two sub-interfaces on my router and ASA to coincide with the Vlans I created on my switch. I can ping all the way through with each IP assigned to interfaces and sub-interfaces. I was still racking my brain as to why I couldnt ping with the main IP's I assigned to each device. I then realized like an idiot I forgot to connect both devices to my switch through a regular port with access to the main Vlan on my switch. D'OH. I assigned a different vlan to each switch port and I can plug my laptop into each one and pull DHCP and get to the internet. Im also doing all my routing through OSPF. What a relief. Thanks again guys!

Cisco Employee

 A physical and logical

 

A physical and logical topology diagram would help to understand the setup.

 

Regards,

Akash

Cisco Employee

Hello Vince ,

Hello Vince ,

I have some experience with firewalls so will try to answer the query 

Here are two things that I can see , could be worth checking :

 

1)

Wan side port has security level as 0 , lowest 

For Gi0/1 interface ( vlan 2 is connected and reaching internet via this port ) has security-level as 100 , highest . We do not need any policy to reachability from higher to lower security zones in ASA .

But for sub-interface Gi0/1.10 ( Vlan 10 is connected and reaching internet via this port ) i can see security-level as 0 , lowest .

 

And as far as I know , By default interfaces on the same security level cannot communicate with each other . 

anyways if needed below command can achieve it : 

same-security-traffic permit inter-interface

2) another point is why on ASA we have configured vlan 2 ip on physical interface and Vlan 10 ip on sub-interface . I never tested such configuration and was exptecting to see another subinterface for vlan 2 connectivity as well . 

 

Hope to help .

Regards

Sunil Bhadauria

! kindly rate all helpful posts !

 

New Member

I diagram would be very

I diagram would be very helpful to get this resolved for you.

New Member

Also on the switch I don't

Also on the switch I don't see any ports that are setup to be trunks.

How I've done this in the past is to setup a trunk, set it with a native VLAN that isn't in use anywhere (3100), and then create sub-interfaces for any and all VLANs that need to be tagged to the ASA. This then allows you to also tag VLAN 1 traffic and keep a uniformed configuration.

686
Views
15
Helpful
21
Replies
CreatePlease login to create content