ASA 5510 to route Vlans

chris noon · ‎08-26-2009

Hi,

I have a Cisco ASA 5510 and need to use it to route between VLANs as i don't have a router for the time being. I have been reading online and it is possible as it is a layer 3 device, although I can't seem to get it working.

I have an inside, outside and a DMZ. The DMZ is in the IP range 172.99.0.0/24 and in vlan 80 and the inside is in the IP range 10.192.3.0/24 and in vlan 10. These are the 2 vlan/ip ranges I need to communicate.

On the switch I am using the config commands:

Interface 0/48

switchport trunk allowed vlan all

switchport mode trunk

Then ports 1 to 36 are placed on vlan 10 and ports 37 to 47 are on vlan 80; all set for access mode.

On the ASA i am using the config:

Interface Ethernet 0/3

No ip address

No shutdown

Nameif VLAN_Routing

Security-level 100

Interface Etherenet 0/3.1

Ip address 172.99.0.1 255.255.255.0

Nameif DMZ_VLAN

Security-level 100

Vlan 80

no shutdown

Interface Etherenet 0/3.2

Ip address 10.192.3.2 255.255.255.0

Nameif Inside_VLAN

Security-level 100

Vlan 1

no shutdown

####

I thought the problem may be because I don't have any encapsulation on the trunking ports. The ASA command "vlan 10" apparently encapsulates in dot1q automatically, but i can't seem to find where to do this on the switch: the switch is a catalyst 2960.

Hopefully someone can help me get these 2 lans communicating.

Collin Clark · ‎08-31-2009

On the 2960 I'm pretty sure that only dot1q is supported. On the switch you can verify if the trunk is working with show interface trunk and it should show fa0/48 as a trunk. I do see an error on the ASA config. The main interface can not have a nameif.

interface Eth0/3

no nameif

You will also need same-security-traffic permit inter-interface

Hope that helps.