ASA & Catalyst 3650, trunking sub-interfaces, having ASA interfaces on 3650
Hi all
I have an ASA 5540 configured in datacenter. It has 2 site to site VPN tunnels, and 1 remote access VPN tunnel configured. Both site to site VPN tunnels ends on outside interface.
Here is what I have to do. I am asked to establish a site-to-site VPN tunnel to X location, and all VPN clients should access that X location. I am out of interfaces, and in this case, tunnel must be established on outside again, which means I have to permit traffic on same security interfaces (VPN clients and VPN peer, both outside). And I dont want to do that, totally unsecure (3000+ VPN clients will be able to talk to each other, no way!). Here is what I plan and need m8s' help in switching side.
I asked for a new global IP octet and I have x.x.x.64/28 now. I am up to establish l2l tunnel to x.x.x.78.
I want to create a VLAN on Catalyst (ports 30 to 40) and have these switch ports as additional interfaces for my ASA. I heard about "trunking" but the picture is not clear in my mind.
I created a sub-interface on DMZ port (Sub interface on outside is not a Cisco recommended action) as following.
zeus(config-if)# int gigabitEthernet 0/2.1
zeus(config-subif)# ip add x.x.x..78 255.255.255.240
zeus(config-subif)# nameif ASASub
zeus(config-subif)# no shu
zeus(config-subif)# vlan 10
If above configuration is correct in ASA side, please explain me what I should do in 3650 step by step. Which commands in 3650 CLI (explaination next to command will be much appreciated) should I enter, in which port I should plug the ASA and which port the internet (x.x.x.64/28) connection. (no VLAN is configured in 3650)
Regards
I have an ASA 5540 configured in datacenter. It has 2 site to site VPN tunnels, and 1 remote access VPN tunnel configured. Both site to site VPN tunnels ends on outside interface.
Here is what I have to do. I am asked to establish a site-to-site VPN tunnel to X location, and all VPN clients should access that X location. I am out of interfaces, and in this case, tunnel must be established on outside again, which means I have to permit traffic on same security interfaces (VPN clients and VPN peer, both outside). And I dont want to do that, totally unsecure (3000+ VPN clients will be able to talk to each other, no way!). Here is what I plan and need m8s' help in switching side.
I asked for a new global IP octet and I have x.x.x.64/28 now. I am up to establish l2l tunnel to x.x.x.78.
I want to create a VLAN on Catalyst (ports 30 to 40) and have these switch ports as additional interfaces for my ASA. I heard about "trunking" but the picture is not clear in my mind.
I created a sub-interface on DMZ port (Sub interface on outside is not a Cisco recommended action) as following.
zeus(config-if)# int gigabitEthernet 0/2.1
zeus(config-subif)# ip add x.x.x..78 255.255.255.240
zeus(config-subif)# nameif ASASub
zeus(config-subif)# no shu
zeus(config-subif)# vlan 10
If above configuration is correct in ASA side, please explain me what I should do in 3650 step by step. Which commands in 3650 CLI (explaination next to command will be much appreciated) should I enter, in which port I should plug the ASA and which port the internet (x.x.x.64/28) connection. (no VLAN is configured in 3650)
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi m8, I hope you find time sometime and get back, your time is greatly appreciated
Thanks
Thanks
Sorry, MrH, I was hoping you'd figure this one out on your own. You're a smart guy...
1) Not sure I understand this one. I didn't know you were moving your DMZ. Create any L2 vlan on the switch, assign 2 ports to this vlan, in access mode, plug the router in one port and the ASA DMZ port into the other one. Don't create a L3 vlan interface.
2) See #1
I probably need to see some kind of picture of what you have now and what you think you want it to look like. You can post something up at http://www.ee-stuff.com
1) Not sure I understand this one. I didn't know you were moving your DMZ. Create any L2 vlan on the switch, assign 2 ports to this vlan, in access mode, plug the router in one port and the ASA DMZ port into the other one. Don't create a L3 vlan interface.
2) See #1
I probably need to see some kind of picture of what you have now and what you think you want it to look like. You can post something up at http://www.ee-stuff.com
ASKER
Thanks Les :). Actually I am the head of a countrywide operation and really have no time, sleep 3-4 hours a day. I coordinate an IBM SO but they were not able to figure that one out. I was sure that was possible by sub-interfacing but picture as not clear. I sent your suggestions to them but again no success. Then I set it up by digging with the great help of yours, now all working, but picture is not completely clear in my mind yet. I will draw the digram and will open it in a new question, because it is totally a new question :). You can not imagine how much I appreciate your time m8, thanks again.
Also m8 I again need your help in question below,
https://www.experts-exchange.com/questions/22898381/PAT-to-subinterface-which-is-peer-for-site-to-site.html
Regards
Also m8 I again need your help in question below,
https://www.experts-exchange.com/questions/22898381/PAT-to-subinterface-which-is-peer-for-site-to-site.html
Regards
ASKER
Thanks for contributing m8.
So i will plug the x.x.x.64/28 uplink to port 26. Then following questions appear.
1) Where should I connect the current DMZ cable, which comes from another router (that is currently plugged to DMZ port of ASA)
2) Where should I connect the DMZ port of ASA to?
switch(config-if)#switchpo
Above line tells me that the answer of question 1 and 2 is "Any port in VLAN 1" . Am I correct?, If yes, wouldnt it be more secure if we joined 2 more ports to vlan 10 in "switchport mode access" and plug ASA and DMZ comn from router to these ports? If yes, then how in switch side?
So once above config is OK in switch, I can define sub interfaces (in vlan 10) as many as my x.x.x.64/28 IPs because trunking can carry multiple vlans, then from switch console, i will be able to ping each sub-interface, and I can create l2l vpn or whatever I want to these interfaces correct?
"Now you can use standard route-maps on the 3560 to route your VPN traffic flows. Just make sure that you assign a tunnel gateway as the switch L3 interface. Let the switch re-route the traffic back out through the ASA through the tunnel, to the other end"
Below is what I understood from above.
Lets say that ISP gave me the x.x.x.y as gateway for my x.x.x.64/28. In this case, i will add x.x.x.y to vlan interface as gateway, and i will add
route (sub-interface) 0 0 x.x.x.79 (switchport IP)
Correct?
Regards