Cisco ASA 5520 traffic to subinterface not working
Hello,
We recently purchased a Cisco ASA 5520 and are having some problems with traffic to sub interfaces. Here are the details:
There are 4 gigabit interfaces on the ASA - they are configured as follows (I used private IP's in the example but in the actual configuration, we are using live IPs):
Gigabit 0/0 - outside (192.168.1.129)
Gigabit 0/0.1 - outside2 (192.168.1.146)
Gigabit 0/1 - public (10.0.1.1/255.255.255.224)
Gigabit 0/1.1 - public2 (10.0.1.33/255.255.255.224
Gigabit 0/1.2 - public3 (10.0.1.65/255.255.255.252
Gigabit 0/2 - public4 (10.0.2.1)
Gigabit 0/2.1 - public5 (10.0.2.16)
Gigabit 0/3 - management
Computers connected to the outside interface can communicate with systems connected to Gigabit 0/1 public interface but cannot connect to any other interface. The Cisco ASA is configured in Single Context Mode and I believe the firewall has been setup correctly. All interfaces are in the up state and I can ping the IP's from the Cisco ASA itself. So my question is - what do I need to do to allow traffic to the subinterfaces?
Thanks
We recently purchased a Cisco ASA 5520 and are having some problems with traffic to sub interfaces. Here are the details:
There are 4 gigabit interfaces on the ASA - they are configured as follows (I used private IP's in the example but in the actual configuration, we are using live IPs):
Gigabit 0/0 - outside (192.168.1.129)
Gigabit 0/0.1 - outside2 (192.168.1.146)
Gigabit 0/1 - public (10.0.1.1/255.255.255.224)
Gigabit 0/1.1 - public2 (10.0.1.33/255.255.255.224
Gigabit 0/1.2 - public3 (10.0.1.65/255.255.255.252
Gigabit 0/2 - public4 (10.0.2.1)
Gigabit 0/2.1 - public5 (10.0.2.16)
Gigabit 0/3 - management
Computers connected to the outside interface can communicate with systems connected to Gigabit 0/1 public interface but cannot connect to any other interface. The Cisco ASA is configured in Single Context Mode and I believe the firewall has been setup correctly. All interfaces are in the up state and I can ping the IP's from the Cisco ASA itself. So my question is - what do I need to do to allow traffic to the subinterfaces?
Thanks
batry_boy
Depending on the security level you've assigned to all of the interfaces, you will have to set up the appropriate ACL's and NAT to get traffic flowing between the interfaces. Post your config so we can take a look...
ASKER
I'll grab a copy of my config and post it. But here's what I set as the security levels:
Gigabit 0/0 - outside (192.168.1.129) security level 0
Gigabit 0/0.1 - outside2 (192.168.1.146) security level 0
Gigabit 0/1 - public (10.0.1.1/255.255.255.224)
Gigabit 0/1.1 - public2 (10.0.1.33/255.255.255.224
Gigabit 0/1.2 - public3 (10.0.1.65/255.255.255.252
Gigabit 0/2 - public4 (10.0.2.1) security level 50
Gigabit 0/2.1 - public5 (10.0.2.16) security level 50
Traffic works to Gigabit 0/1 only - all other interfaces do not allow traffic
Gigabit 0/0 - outside (192.168.1.129) security level 0
Gigabit 0/0.1 - outside2 (192.168.1.146) security level 0
Gigabit 0/1 - public (10.0.1.1/255.255.255.224)
Gigabit 0/1.1 - public2 (10.0.1.33/255.255.255.224
Gigabit 0/1.2 - public3 (10.0.1.65/255.255.255.252
Gigabit 0/2 - public4 (10.0.2.1) security level 50
Gigabit 0/2.1 - public5 (10.0.2.16) security level 50
Traffic works to Gigabit 0/1 only - all other interfaces do not allow traffic
That's fine. We'll know more once the ACL's and NAT statements are posted.
ASKER
ASA Version 7.1(2)
!
hostname asa
domain-name domain.net
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
description Gateway to ISP
nameif outside
security-level 0
ip address 192.168.1.130 255.255.255.240
!
interface GigabitEthernet0/0.20
description Gateway to ISP
vlan 20
nameif outside2
security-level 0
ip address 192.168.1.146 255.255.255.240
!
interface GigabitEthernet0/1
description unassigned - 29 IP available
nameif CompanyNAME1001
security-level 50
ip address 10.0.1.1 255.255.255.224
!
interface GigabitEthernet0/1.2
description CompanyNAME Network Infastructure
vlan 2
nameif CompanyNAME1002
security-level 50
ip address 10.0.1.33 255.255.255.224
!
interface GigabitEthernet0/1.3
description server1.domain.net
vlan 3
nameif CompanyNAME1003
security-level 50
ip address 10.0.1.65 255.255.255.252
!
interface GigabitEthernet0/1.4
description server2.domain.net
vlan 4
nameif CompanyNAME1004
security-level 50
ip address 10.0.1.69 255.255.255.252
!
interface GigabitEthernet0/1.5
description server3.domain.net
vlan 5
nameif CompanyNAME1005
security-level 50
ip address 10.0.1.73 255.255.255.252
!
interface GigabitEthernet0/1.6
description server4.domain.net
vlan 6
nameif CompanyNAME1006
security-level 50
ip address 10.0.1.77 255.255.255.252
!
interface GigabitEthernet0/1.7
description server5.domain.net
vlan 7
nameif CompanyNAME1007
security-level 50
ip address 10.0.1.81 255.255.255.252
!
interface GigabitEthernet0/1.8
description server6.domain.net
vlan 8
nameif CompanyNAME1008
security-level 50
ip address 10.0.1.85 255.255.255.252
!
interface GigabitEthernet0/1.9
description unassigned - 1 IP available
vlan 9
nameif CompanyNAME1009
security-level 50
ip address 10.0.1.89 255.255.255.252
!
interface GigabitEthernet0/1.10
description unassigned - 1 IP available
vlan 10
nameif CompanyNAME1010
security-level 50
ip address 10.0.1.93 255.255.255.252
!
interface GigabitEthernet0/1.11
description server7.domain.net
vlan 11
nameif CompanyNAME1011
security-level 50
ip address 10.0.1.97 255.255.255.252
!
interface GigabitEthernet0/1.12
description unassigned - 1 IP available
vlan 12
nameif CompanyNAME1012
security-level 50
ip address 10.0.1.101 255.255.255.252
!
interface GigabitEthernet0/1.13
description unassigned - 6 IP available
vlan 13
nameif CompanyNAME1013
security-level 50
ip address 10.0.1.105 255.255.255.248
!
interface GigabitEthernet0/1.14
description unassigned - 6 IP available
vlan 14
nameif CompanyNAME1014
security-level 50
ip address 10.0.1.113 255.255.255.248
!
interface GigabitEthernet0/1.15
description server8.domain.net
vlan 15
nameif CompanyNAME1015
security-level 50
ip address 10.0.1.121 255.255.255.248
!
interface GigabitEthernet0/1.16
description server9.domain.net
vlan 16
nameif CompanyNAME1016
security-level 50
ip address 10.0.1.129 255.255.255.240
!
interface GigabitEthernet0/1.17
description server10.domain.net
vlan 17
nameif CompanyNAME1017
security-level 50
ip address 10.0.1.145 255.255.255.248
!
interface GigabitEthernet0/1.18
description server11.domain.net
vlan 18
nameif CompanyNAME1018
security-level 50
ip address 10.0.1.153 255.255.255.248
!
interface GigabitEthernet0/1.19
description server12.domain.net
vlan 19
nameif CompanyNAME1019
security-level 50
ip address 10.0.1.177 255.255.255.240
!
interface GigabitEthernet0/2
description CompanyNAME2
nameif CompanyNAME2
security-level 50
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
description Cisco ASA 5520 Management only
nameif management
security-level 100
ip address 10.0.10.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name domain.net
same-security-traffic permit inter-interface
access-list outside_access_in remark http to server1.domain.net virtual hosting
access-list outside_access_in extended permit tcp any 10.0.3.0.0 255.255.255.128 eq www
access-list outside_access_in remark http to server3.domain.net virtual hosting
access-list outside_access_in extended permit tcp any 10.0.3.0.128 255.255.255.128 eq www
access-list outside_access_in remark http to CompanyNAME2
access-list outside_access_in extended permit tcp any 10.0.2.0 255.255.255.0 eq www
access-list outside_access_in remark smtp to mail.domain.net
access-list outside_access_in extended permit tcp any host 10.0.1.34 eq smtp
access-list outside_access_in remark test
access-list outside_access_in extended permit tcp any 10.0.1.0 255.255.255.224 eq www
access-list outside_access_in remark test1
access-list outside_access_in extended permit icmp any 10.0.1.0 255.255.255.224
access-list outside_access_in remark test2
access-list outside_access_in extended permit icmp any 10.0.1.32 255.255.255.224
pager lines 24
logging enable
logging asdm informational
logging from-address systems@CompanyNAME.com
logging recipient-address somebody@CompanyNAME.com level errors
mtu outside 1500
mtu outside2 1500
mtu CompanyNAME1001 1500
mtu CompanyNAME1002 1500
mtu CompanyNAME1003 1500
mtu CompanyNAME1004 1500
mtu CompanyNAME1005 1500
mtu CompanyNAME1006 1500
mtu CompanyNAME1007 1500
mtu CompanyNAME1008 1500
mtu CompanyNAME1009 1500
mtu CompanyNAME1010 1500
mtu CompanyNAME1011 1500
mtu CompanyNAME1012 1500
mtu CompanyNAME1013 1500
mtu CompanyNAME1014 1500
mtu CompanyNAME1015 1500
mtu CompanyNAME1016 1500
mtu CompanyNAME1017 1500
mtu CompanyNAME1018 1500
mtu CompanyNAME1019 1500
mtu CompanyNAME2 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover polltime unit 4 holdtime 12
failover polltime interface 12
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.5.1 255.255.255.248 standby 192.168.5.2
monitor-interface outside
monitor-interface outside2
monitor-interface CompanyNAME1001
monitor-interface CompanyNAME1002
no monitor-interface CompanyNAME1003
no monitor-interface CompanyNAME1004
no monitor-interface CompanyNAME1005
no monitor-interface CompanyNAME1006
no monitor-interface CompanyNAME1007
no monitor-interface CompanyNAME1008
no monitor-interface CompanyNAME1009
no monitor-interface CompanyNAME1010
no monitor-interface CompanyNAME1011
no monitor-interface CompanyNAME1012
no monitor-interface CompanyNAME1013
no monitor-interface CompanyNAME1014
no monitor-interface CompanyNAME1015
no monitor-interface CompanyNAME1016
no monitor-interface CompanyNAME1017
no monitor-interface CompanyNAME1018
no monitor-interface CompanyNAME1019
monitor-interface CompanyNAMEWorks
no monitor-interface management
asdm image disk0:/asdm512-k8.bin
asdm location 10.0.1.34 255.255.255.255 CompanyNAME1002
asdm location 10.0.1.43 255.255.255.255 CompanyNAME1002
asdm location 10.0.3.0.0 255.255.255.128 CompanyNAME1003
asdm location 10.0.3.0.128 255.255.255.128 CompanyNAME1005
asdm location 10.0.1.2 255.255.255.255 CompanyNAME1001
asdm location 10.0.1.34 255.255.255.255 CompanyNAME1002
asdm history enable
arp timeout 14400
nat (management) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.129 1
route CompanyNAME1003 10.0.3.0.0 255.255.255.128 10.0.1.66 1
route CompanyNAME1005 10.0.3.0.128 255.255.255.128 10.0.1.74 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
smtp-server 10.0.1.34 10.0.2.12
Cryptochecksum:xxxxxxxxxxx
!
hostname asa
domain-name domain.net
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
description Gateway to ISP
nameif outside
security-level 0
ip address 192.168.1.130 255.255.255.240
!
interface GigabitEthernet0/0.20
description Gateway to ISP
vlan 20
nameif outside2
security-level 0
ip address 192.168.1.146 255.255.255.240
!
interface GigabitEthernet0/1
description unassigned - 29 IP available
nameif CompanyNAME1001
security-level 50
ip address 10.0.1.1 255.255.255.224
!
interface GigabitEthernet0/1.2
description CompanyNAME Network Infastructure
vlan 2
nameif CompanyNAME1002
security-level 50
ip address 10.0.1.33 255.255.255.224
!
interface GigabitEthernet0/1.3
description server1.domain.net
vlan 3
nameif CompanyNAME1003
security-level 50
ip address 10.0.1.65 255.255.255.252
!
interface GigabitEthernet0/1.4
description server2.domain.net
vlan 4
nameif CompanyNAME1004
security-level 50
ip address 10.0.1.69 255.255.255.252
!
interface GigabitEthernet0/1.5
description server3.domain.net
vlan 5
nameif CompanyNAME1005
security-level 50
ip address 10.0.1.73 255.255.255.252
!
interface GigabitEthernet0/1.6
description server4.domain.net
vlan 6
nameif CompanyNAME1006
security-level 50
ip address 10.0.1.77 255.255.255.252
!
interface GigabitEthernet0/1.7
description server5.domain.net
vlan 7
nameif CompanyNAME1007
security-level 50
ip address 10.0.1.81 255.255.255.252
!
interface GigabitEthernet0/1.8
description server6.domain.net
vlan 8
nameif CompanyNAME1008
security-level 50
ip address 10.0.1.85 255.255.255.252
!
interface GigabitEthernet0/1.9
description unassigned - 1 IP available
vlan 9
nameif CompanyNAME1009
security-level 50
ip address 10.0.1.89 255.255.255.252
!
interface GigabitEthernet0/1.10
description unassigned - 1 IP available
vlan 10
nameif CompanyNAME1010
security-level 50
ip address 10.0.1.93 255.255.255.252
!
interface GigabitEthernet0/1.11
description server7.domain.net
vlan 11
nameif CompanyNAME1011
security-level 50
ip address 10.0.1.97 255.255.255.252
!
interface GigabitEthernet0/1.12
description unassigned - 1 IP available
vlan 12
nameif CompanyNAME1012
security-level 50
ip address 10.0.1.101 255.255.255.252
!
interface GigabitEthernet0/1.13
description unassigned - 6 IP available
vlan 13
nameif CompanyNAME1013
security-level 50
ip address 10.0.1.105 255.255.255.248
!
interface GigabitEthernet0/1.14
description unassigned - 6 IP available
vlan 14
nameif CompanyNAME1014
security-level 50
ip address 10.0.1.113 255.255.255.248
!
interface GigabitEthernet0/1.15
description server8.domain.net
vlan 15
nameif CompanyNAME1015
security-level 50
ip address 10.0.1.121 255.255.255.248
!
interface GigabitEthernet0/1.16
description server9.domain.net
vlan 16
nameif CompanyNAME1016
security-level 50
ip address 10.0.1.129 255.255.255.240
!
interface GigabitEthernet0/1.17
description server10.domain.net
vlan 17
nameif CompanyNAME1017
security-level 50
ip address 10.0.1.145 255.255.255.248
!
interface GigabitEthernet0/1.18
description server11.domain.net
vlan 18
nameif CompanyNAME1018
security-level 50
ip address 10.0.1.153 255.255.255.248
!
interface GigabitEthernet0/1.19
description server12.domain.net
vlan 19
nameif CompanyNAME1019
security-level 50
ip address 10.0.1.177 255.255.255.240
!
interface GigabitEthernet0/2
description CompanyNAME2
nameif CompanyNAME2
security-level 50
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
description Cisco ASA 5520 Management only
nameif management
security-level 100
ip address 10.0.10.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name domain.net
same-security-traffic permit inter-interface
access-list outside_access_in remark http to server1.domain.net virtual hosting
access-list outside_access_in extended permit tcp any 10.0.3.0.0 255.255.255.128 eq www
access-list outside_access_in remark http to server3.domain.net virtual hosting
access-list outside_access_in extended permit tcp any 10.0.3.0.128 255.255.255.128 eq www
access-list outside_access_in remark http to CompanyNAME2
access-list outside_access_in extended permit tcp any 10.0.2.0 255.255.255.0 eq www
access-list outside_access_in remark smtp to mail.domain.net
access-list outside_access_in extended permit tcp any host 10.0.1.34 eq smtp
access-list outside_access_in remark test
access-list outside_access_in extended permit tcp any 10.0.1.0 255.255.255.224 eq www
access-list outside_access_in remark test1
access-list outside_access_in extended permit icmp any 10.0.1.0 255.255.255.224
access-list outside_access_in remark test2
access-list outside_access_in extended permit icmp any 10.0.1.32 255.255.255.224
pager lines 24
logging enable
logging asdm informational
logging from-address systems@CompanyNAME.com
logging recipient-address somebody@CompanyNAME.com level errors
mtu outside 1500
mtu outside2 1500
mtu CompanyNAME1001 1500
mtu CompanyNAME1002 1500
mtu CompanyNAME1003 1500
mtu CompanyNAME1004 1500
mtu CompanyNAME1005 1500
mtu CompanyNAME1006 1500
mtu CompanyNAME1007 1500
mtu CompanyNAME1008 1500
mtu CompanyNAME1009 1500
mtu CompanyNAME1010 1500
mtu CompanyNAME1011 1500
mtu CompanyNAME1012 1500
mtu CompanyNAME1013 1500
mtu CompanyNAME1014 1500
mtu CompanyNAME1015 1500
mtu CompanyNAME1016 1500
mtu CompanyNAME1017 1500
mtu CompanyNAME1018 1500
mtu CompanyNAME1019 1500
mtu CompanyNAME2 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover polltime unit 4 holdtime 12
failover polltime interface 12
failover link failover GigabitEthernet0/3
failover interface ip failover 192.168.5.1 255.255.255.248 standby 192.168.5.2
monitor-interface outside
monitor-interface outside2
monitor-interface CompanyNAME1001
monitor-interface CompanyNAME1002
no monitor-interface CompanyNAME1003
no monitor-interface CompanyNAME1004
no monitor-interface CompanyNAME1005
no monitor-interface CompanyNAME1006
no monitor-interface CompanyNAME1007
no monitor-interface CompanyNAME1008
no monitor-interface CompanyNAME1009
no monitor-interface CompanyNAME1010
no monitor-interface CompanyNAME1011
no monitor-interface CompanyNAME1012
no monitor-interface CompanyNAME1013
no monitor-interface CompanyNAME1014
no monitor-interface CompanyNAME1015
no monitor-interface CompanyNAME1016
no monitor-interface CompanyNAME1017
no monitor-interface CompanyNAME1018
no monitor-interface CompanyNAME1019
monitor-interface CompanyNAMEWorks
no monitor-interface management
asdm image disk0:/asdm512-k8.bin
asdm location 10.0.1.34 255.255.255.255 CompanyNAME1002
asdm location 10.0.1.43 255.255.255.255 CompanyNAME1002
asdm location 10.0.3.0.0 255.255.255.128 CompanyNAME1003
asdm location 10.0.3.0.128 255.255.255.128 CompanyNAME1005
asdm location 10.0.1.2 255.255.255.255 CompanyNAME1001
asdm location 10.0.1.34 255.255.255.255 CompanyNAME1002
asdm history enable
arp timeout 14400
nat (management) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.129 1
route CompanyNAME1003 10.0.3.0.0 255.255.255.128 10.0.1.66 1
route CompanyNAME1005 10.0.3.0.128 255.255.255.128 10.0.1.74 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
smtp-server 10.0.1.34 10.0.2.12
Cryptochecksum:xxxxxxxxxxx
ASKER
We are not using NAT - we just need basic routing and firewall at the moment.
What kind of traffic flow is failing, e.g. protocols that work/don't work? Also, please specify source and destination addresses that work/don't work.
One option that you have to troubleshoot this with is the use of a new feature in 7.2(1) and above called packet tracer. You specify protocol, source address and port, and destination address and port, and it will tell you if the ASA is configured to allow that traffic and which ACL is permitting/denying that traffic. Of course, you would have to upgrade to have this feature...
One option that you have to troubleshoot this with is the use of a new feature in 7.2(1) and above called packet tracer. You specify protocol, source address and port, and destination address and port, and it will tell you if the ASA is configured to allow that traffic and which ACL is permitting/denying that traffic. Of course, you would have to upgrade to have this feature...
ASKER
As you can see in the config, there are lots of subinterfaces for Gigabit 0/1. I have tested ICMP (PING) and TCP (http) traffic to all of the Gigabit 0/1 - Gigabit 0/1.19 interfaces and the only one that works is Gigabit 0/1.
Traffic to the subinterfaces do not work. I will update the ASA's to try the packet tracer feature.
Traffic to the subinterfaces do not work. I will update the ASA's to try the packet tracer feature.
Have you configured the switch port that is connected to Gigabit0/1 as a trunk port? If so are you allowing all of those VLAN ID's down the trunk?
ASKER
I haven't made any changes to the switch - I wasn't aware I needed to. Is there a website where I can read more about this? I'll have a look through Google...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree with the VLAN issue. What kind of switch are you connecting to?
You might also consider adding the command "no nat-control" if you don't want to nat anything.
You might also consider adding the command "no nat-control" if you don't want to nat anything.
ASKER
During our testing stage, the ASA is connected to a Cisco 3500XL Catalyst switch (managed switch). When we put the ASA's into production, they will be connected to Dell PowerConnect gigabit swtiches. I have not made any changes to the Cisco switch and we do not currently use VLAN's on our network so I'll need to set this up before going into the production environment.
FYI - we have two Cisco ASA 5520's - the second ASA is used for failover. Both ASA's are connected to the Cisco switch (ports 1 & 2)
FYI - we have two Cisco ASA 5520's - the second ASA is used for failover. Both ASA's are connected to the Cisco switch (ports 1 & 2)
That is a big problem.
>interface GigabitEthernet0/1.19
> description server12.domain.net
> vlan 19 <== this is a VLAN tag
The VLAN tags are sent to the physical interface through the trunking 802.1q mechanism. Otherwise, the ASA will have no way to identify packets for different interfaces. So, the switch absolutely must have those same vlans defined on it, and the link between the ASA and the switch must be a dot1q trunk port. It's piece of cake with the Cisco 3500, but I don't know how to do it with the Dell Powerconnect switches..
You still need to add the no nat-control command if you don't want anything natted.
>interface GigabitEthernet0/1.19
> description server12.domain.net
> vlan 19 <== this is a VLAN tag
The VLAN tags are sent to the physical interface through the trunking 802.1q mechanism. Otherwise, the ASA will have no way to identify packets for different interfaces. So, the switch absolutely must have those same vlans defined on it, and the link between the ASA and the switch must be a dot1q trunk port. It's piece of cake with the Cisco 3500, but I don't know how to do it with the Dell Powerconnect switches..
You still need to add the no nat-control command if you don't want anything natted.
ASKER
I'll see if I can configure the Cisco 3500 with the same VLANs - I don't have much experience with the switches so I'll look up configuration info on Google (unfortunately we don't have the manuals for the Cisco 3500).
I think "no nat-control" is the default for an ASA. Anyway, I didn't see it listed in your config above, so this setting should already be there (you would see "nat-control" show up in the config if it was turned on already).
The ASA only has 5 physical Ethernet interfaces to use so if you need more than that defined on the firewall, you have to use VLAN's...no way around it. So, if you don't currently use VLAN's, then you have that many physical network segments? If this is the case, then you have two options:
1) Start using VLAN's on your internal network and make the VLAN ID's match with what you've configured on the ASA (not recommended since this would impact your production network heavily)
2) Scale back the number of network segments that you terminate on the ASA (meaning don't have all of those VLAN interfaces defined directly on the ASA) This option would mean that you structure your network such that the segments you want to filter would reside behind another L3 device further inward on your internal network.
The ASA only has 5 physical Ethernet interfaces to use so if you need more than that defined on the firewall, you have to use VLAN's...no way around it. So, if you don't currently use VLAN's, then you have that many physical network segments? If this is the case, then you have two options:
1) Start using VLAN's on your internal network and make the VLAN ID's match with what you've configured on the ASA (not recommended since this would impact your production network heavily)
2) Scale back the number of network segments that you terminate on the ASA (meaning don't have all of those VLAN interfaces defined directly on the ASA) This option would mean that you structure your network such that the segments you want to filter would reside behind another L3 device further inward on your internal network.
ASKER
We currently have a linux server with two interfaces:
1) interface 0 - outside
2) interface 1 - all those 19 subnets
The linux server handles all the routing and is using IPTables as the firewall. The linux server is running on Dell hardware, and while it has served us well for over 5 years, we would like to move to dedicated hardware (Cisco ASA). I will bring in a Dell PowerConnect switch to our development environment for testing before putting the ASA's into production. But in the meantime, I will try to configure the Cisco 3500.
1) interface 0 - outside
2) interface 1 - all those 19 subnets
The linux server handles all the routing and is using IPTables as the firewall. The linux server is running on Dell hardware, and while it has served us well for over 5 years, we would like to move to dedicated hardware (Cisco ASA). I will bring in a Dell PowerConnect switch to our development environment for testing before putting the ASA's into production. But in the meantime, I will try to configure the Cisco 3500.
So, you're Linux server is acting as a firewall AND a router. Unfortunately, the ASA is a firewall only and not a router. This may turn into a bigger project than you bargained for when you bought the ASA...
ASKER
According to IBM (who we purchased the Cisco ASA's from) - the ASA can handle routing. At least it appears to be able to handle the routing we need.
Our routing needs are pretty basic, as long as it can route traffic to the subnets it's a part of and can support a default gateway we have all our routing needs met.
Our routing needs are pretty basic, as long as it can route traffic to the subnets it's a part of and can support a default gateway we have all our routing needs met.
If you're not currently implementing VLAN's and the Linux server has all of those network segments attached to it, you either have that many NIC's in it or you're using secondary addressing of some sort on the physical interface. However, the ASA doesn't support secondary addressing, only VLAN's.
ASKER
We currently are not using VLAN's but are open to that option if that's what it'll take to get this working. I have configured the switch ports to be trunk ports (802.11Q) but I'm not sure what kind of VLAN settings I need to implement on the switch.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys - we ended up hiring someone to assist with the setup & launch of the ASA's. Both of you guys were correct about needing VLAN's and trunk ports on the switch.
The original outside interface should not have an ip address assigned. IP addresses should have only been assigned to the subinterfaces. When using subinterfaces you should have had the following.
Gigabit 0/0 - no ip address
Description Outside Interfaces
G 0/0.1 - description Outside Interface 1
ip address 192.168.1.129
G0/0.2 - description Outside Interface 2
ip address 192.168.1.146
Not like this:
Gigabit 0/0 - outside (192.168.1.129)
Gigabit 0/0.1 - outside2 (192.168.1.146)
Then you will still need to configure VLANs for this interface on a switched trunk port to allow the multiple interface traffic.
Gigabit 0/0 - no ip address
Description Outside Interfaces
G 0/0.1 - description Outside Interface 1
ip address 192.168.1.129
G0/0.2 - description Outside Interface 2
ip address 192.168.1.146
Not like this:
Gigabit 0/0 - outside (192.168.1.129)
Gigabit 0/0.1 - outside2 (192.168.1.146)
Then you will still need to configure VLANs for this interface on a switched trunk port to allow the multiple interface traffic.