Can ASA 5510 do VLAN routing between multiple VLANS?
I have a customer with 2960 48 port switch and ASA 5510. Ideally we want the ASA 5510 to act as a L3 device in addition to firewall.I read the Cisco docs and found out 802.1q VLAN/sub interfaces are supported plus we know ASA supports routing.So i assume it is possible .
Does anyone have practical experience deploying this type of setup ?
It supports routing meaning it "talks" RIP/OSPF, but it is not a router. It can do what you want, but the performace may not be what you want. Setup the physical interface as a trunk and create sub-interface under that. See example's below.
description Trunk Only! DO NOT CONFIGURE!!
no ip address
description WEB DMZ
ip address 192.168.252.254 255.255.255.0 standby 192.168.252.253
description FTP DMZ
ip address 192.168.247.254 255.255.255.0 standby 192.168.247.253
description Connection to PIX
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 55,100
switchport mode trunk
Thank you for the reply.
Hmm, that means traffic from one vlan to another must be inspected by the ASA.Is there any way to bypass the traffic inspection between vlans ? same security level for vlans perhaps ?
That does not work for clear text traffic.As of now only for IPSEC traffic.So the best solution in ur case is the one given above by configuring the sub interface
Ok it did not go well.Here is what i did
In ASA 5510 running 7.0
no ip address
description Management VLAN
ip address 10.150.10.1 255.255.255.0
description Server VLAN
ip address 10.150.20.1 255.255.255.0
2960 Switch Config
description Connection to ASA
switchport trunk allowed vlan all
switchport mode trunk
I checked the trunking was 802.1q since this IOS did not allow "switchport trunk encapsulation dot1q"
I cant ping between vlan 1 and vlan2.
and i did use the same-security permit inter-vlan.
Anything i am missing here ?
HI .. assuming int g0/44 on your switch is connected to port Ethernet0/0 of the ASA then the config seems Ok HOWEVER, you also need to configure nat and access-list in order to get traffic flow between interfaces. rememmber traffic from higher priority will flow to the lower by default but you aslo need to configure nat / global pairs. TRaffic from lower to higher security will not flow by default. You need to specifically allow this and use static nats for it .. confused ..? a quick example ..
for traffic from VLAN 1 to VLAN2 you need.
nat (MGMT) 1 0 0
global (ftp) 1 interface
access-list Inside_Out extended permit ip any any
access-group Inside_Out in interface MGMT
For traffic from VLAN 2 to VLAN1 you would need
static (MGMT,ftp) x.x.x.x y.y.y.y netmask 255.255.255.255
access-list Outside_In extended permit ip any host x.x.x.x
access-group Outside_In in interface ftp
where x.x.x.x is the IP address you need to reach from the VALN2 and y.y.y.y is the real Ip address of teh device located on the VLAN1
Make sure to enable application inspection by enabling the default global-policy ( disabled by default) otherwise you might find that pings might not work between interfaces
inspect h323 ras
inspect icmp error
inspect h323 h225
I hope it helps .. please rate if it does !!!
Thank you.I will try the chnages today and let you guys know.
I made all three interfaces same security level 100 and used "same-security permit inter-interface".I assume with this approach i dont have to create NAT/access lists But that did not make any differrence.
To expand on Fernando's post, istead of creating NAT's and globals, it might be easier to move the traffic using what I call subnet statics, such as-
static (inside,dmz) 184.108.40.206 220.127.116.11 netmask 255.255.255.0