Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3155
  • Last Modified:

ASA & Catalyst 3650, trunking sub-interfaces, having ASA interfaces on 3650

 Hi all
      I have an ASA 5540 configured in datacenter. It has 2 site to site VPN tunnels, and 1 remote access VPN tunnel configured. Both site to site VPN tunnels ends on outside interface.
     Here is what I have to do. I am asked to establish a site-to-site VPN tunnel to X location, and all VPN clients should access that X location. I am out of interfaces, and in this case, tunnel must be established on outside again, which means I have to permit traffic on same security interfaces (VPN clients and VPN peer, both outside). And I dont want to do that, totally unsecure (3000+ VPN clients will be able to talk to each other, no way!). Here is what I plan and need  m8s' help in switching side.
     I asked for a new global IP octet and I have x.x.x.64/28 now. I am up to establish l2l tunnel to x.x.x.78.
     I want to create a VLAN on Catalyst (ports 30 to 40) and have these switch ports as additional interfaces for my ASA. I heard about "trunking" but the picture is not clear in my mind.
     I created a sub-interface on DMZ port (Sub interface on outside is not a Cisco recommended action) as following.

zeus(config-if)# int gigabitEthernet 0/2.1
zeus(config-subif)# ip add x.x.x..78 255.255.255.240
zeus(config-subif)# nameif ASASub
zeus(config-subif)# no shu
zeus(config-subif)# vlan 10
     
      If above configuration is correct in ASA side, please explain me what I should do in 3650 step by step. Which commands in 3650 CLI (explaination next to command will be much appreciated) should I enter, in which port I should plug the ASA and which port the internet (x.x.x.64/28) connection. (no VLAN is configured in 3650)

Regards
0
Alan Huseyin Kayahan
Asked:
Alan Huseyin Kayahan
  • 3
  • 2
1 Solution
 
lrmooreCommented:
Use any empty port on the 3650 switch and make it a trunk port
Create VLAN 10 on the switch

switch#config t
switch(config)#vlan 10  <== simply creates a vlan to reference
switch(config-vlan)#exit
switch(config)#interface gig 0/26  <== your uplink port #
switch(config-if)#switchport mode trunk
switch(config-if)#switchport trunk vlan 1,10  <== only allow vlan 1 and vlan 10
switch(config-if)#exit
switch(config)#interface vlan 10  <== create a Layer 3 interface
switch(config-if)#ip address x.x.x.79 255.255.255.240  <== assign L3 IP address
switch(config-if)#end
switch#wri mem

From the ASA console you should be able to ping x.x.x.79 and from the switch console you should be able to ping x.x.x.78

Now you can use standard route-maps on the 3560 to route your VPN traffic flows. Just make sure that  you assign a tunnel gateway as the switch L3 interface. Let the switch re-route the traffic back out through the ASA through the tunnel, to the other end.

Switch reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swvlan.html
0
 
Alan Huseyin KayahanAuthor Commented:
   Hi Les
         Thanks for contributing m8.
              So i will plug the x.x.x.64/28 uplink to port 26. Then following questions appear.
                1) Where should I connect the current DMZ cable, which comes from another router (that is currently plugged to DMZ port of ASA)
                2) Where should I connect the DMZ port of ASA to?

              switch(config-if)#switchport trunk vlan 1,10  <== only allow vlan 1 and vlan 10

              Above line tells me that the answer of question 1 and 2 is "Any port in VLAN 1" . Am I correct?, If yes, wouldnt it be more secure if we joined 2 more ports to vlan 10 in "switchport mode access" and plug ASA and DMZ comn from router to these ports? If yes, then how in switch side?

              So once above config is OK in switch, I can define sub interfaces (in vlan 10) as many as my x.x.x.64/28 IPs because trunking can carry multiple vlans, then from switch console, i will be able to ping each sub-interface, and I can create l2l vpn or whatever I want to these interfaces correct?

           "Now you can use standard route-maps on the 3560 to route your VPN traffic flows. Just make sure that  you assign a tunnel gateway as the switch L3 interface. Let the switch re-route the traffic back out through the ASA through the tunnel, to the other end"
          Below is what I understood from above.
          Lets say that ISP gave me the x.x.x.y as gateway for my x.x.x.64/28. In this case, i will add x.x.x.y to vlan interface as gateway, and i will add
           route (sub-interface) 0 0 x.x.x.79 (switchport IP)
Correct?

Regards
0
 
Alan Huseyin KayahanAuthor Commented:
        Hi m8, I hope you find time sometime and get back, your time is greatly appreciated

Thanks
0
 
lrmooreCommented:
Sorry, MrH, I was hoping you'd figure this one out on your own. You're a smart guy...
1) Not sure I understand this one. I didn't know you were moving your DMZ. Create any L2 vlan on the switch, assign 2 ports to this vlan, in access mode, plug the router in one port and the ASA DMZ port into the other one. Don't create a L3 vlan interface.

2) See #1

I probably need to see some kind of picture of what you have now and what you think you want it to look like. You can post something up at http://www.ee-stuff.com

0
 
Alan Huseyin KayahanAuthor Commented:
   Thanks Les :). Actually I am the head of a countrywide operation and really have no time, sleep 3-4 hours a day. I coordinate an IBM SO but they were not able to figure that one out. I was sure that was possible by sub-interfacing but picture as not clear. I sent your suggestions to them but again no success. Then  I set it up by digging with the great help of yours, now all working,  but picture is not completely clear in my mind yet. I will draw the digram and will open it in a new question, because it is totally a new question :). You can not imagine how much I appreciate your time m8, thanks again.
    Also m8 I again need your help in question below,
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22898381.html

Regards
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now