ASA & Catalyst 3650, trunking sub-interfaces, having ASA interfaces on 3650

Posted on 2007-09-30
Last Modified: 2008-01-09
 Hi all
      I have an ASA 5540 configured in datacenter. It has 2 site to site VPN tunnels, and 1 remote access VPN tunnel configured. Both site to site VPN tunnels ends on outside interface.
     Here is what I have to do. I am asked to establish a site-to-site VPN tunnel to X location, and all VPN clients should access that X location. I am out of interfaces, and in this case, tunnel must be established on outside again, which means I have to permit traffic on same security interfaces (VPN clients and VPN peer, both outside). And I dont want to do that, totally unsecure (3000+ VPN clients will be able to talk to each other, no way!). Here is what I plan and need  m8s' help in switching side.
     I asked for a new global IP octet and I have x.x.x.64/28 now. I am up to establish l2l tunnel to x.x.x.78.
     I want to create a VLAN on Catalyst (ports 30 to 40) and have these switch ports as additional interfaces for my ASA. I heard about "trunking" but the picture is not clear in my mind.
     I created a sub-interface on DMZ port (Sub interface on outside is not a Cisco recommended action) as following.

zeus(config-if)# int gigabitEthernet 0/2.1
zeus(config-subif)# ip add x.x.x..78
zeus(config-subif)# nameif ASASub
zeus(config-subif)# no shu
zeus(config-subif)# vlan 10
      If above configuration is correct in ASA side, please explain me what I should do in 3650 step by step. Which commands in 3650 CLI (explaination next to command will be much appreciated) should I enter, in which port I should plug the ASA and which port the internet (x.x.x.64/28) connection. (no VLAN is configured in 3650)

Question by:Alan Huseyin Kayahan
    LVL 79

    Accepted Solution

    Use any empty port on the 3650 switch and make it a trunk port
    Create VLAN 10 on the switch

    switch#config t
    switch(config)#vlan 10  <== simply creates a vlan to reference
    switch(config)#interface gig 0/26  <== your uplink port #
    switch(config-if)#switchport mode trunk
    switch(config-if)#switchport trunk vlan 1,10  <== only allow vlan 1 and vlan 10
    switch(config)#interface vlan 10  <== create a Layer 3 interface
    switch(config-if)#ip address x.x.x.79  <== assign L3 IP address
    switch#wri mem

    From the ASA console you should be able to ping x.x.x.79 and from the switch console you should be able to ping x.x.x.78

    Now you can use standard route-maps on the 3560 to route your VPN traffic flows. Just make sure that  you assign a tunnel gateway as the switch L3 interface. Let the switch re-route the traffic back out through the ASA through the tunnel, to the other end.

    Switch reference:
    LVL 29

    Author Comment

    by:Alan Huseyin Kayahan
       Hi Les
             Thanks for contributing m8.
                  So i will plug the x.x.x.64/28 uplink to port 26. Then following questions appear.
                    1) Where should I connect the current DMZ cable, which comes from another router (that is currently plugged to DMZ port of ASA)
                    2) Where should I connect the DMZ port of ASA to?

                  switch(config-if)#switchport trunk vlan 1,10  <== only allow vlan 1 and vlan 10

                  Above line tells me that the answer of question 1 and 2 is "Any port in VLAN 1" . Am I correct?, If yes, wouldnt it be more secure if we joined 2 more ports to vlan 10 in "switchport mode access" and plug ASA and DMZ comn from router to these ports? If yes, then how in switch side?

                  So once above config is OK in switch, I can define sub interfaces (in vlan 10) as many as my x.x.x.64/28 IPs because trunking can carry multiple vlans, then from switch console, i will be able to ping each sub-interface, and I can create l2l vpn or whatever I want to these interfaces correct?

               "Now you can use standard route-maps on the 3560 to route your VPN traffic flows. Just make sure that  you assign a tunnel gateway as the switch L3 interface. Let the switch re-route the traffic back out through the ASA through the tunnel, to the other end"
              Below is what I understood from above.
              Lets say that ISP gave me the x.x.x.y as gateway for my x.x.x.64/28. In this case, i will add x.x.x.y to vlan interface as gateway, and i will add
               route (sub-interface) 0 0 x.x.x.79 (switchport IP)

    LVL 29

    Author Comment

    by:Alan Huseyin Kayahan
            Hi m8, I hope you find time sometime and get back, your time is greatly appreciated

    LVL 79

    Expert Comment

    Sorry, MrH, I was hoping you'd figure this one out on your own. You're a smart guy...
    1) Not sure I understand this one. I didn't know you were moving your DMZ. Create any L2 vlan on the switch, assign 2 ports to this vlan, in access mode, plug the router in one port and the ASA DMZ port into the other one. Don't create a L3 vlan interface.

    2) See #1

    I probably need to see some kind of picture of what you have now and what you think you want it to look like. You can post something up at

    LVL 29

    Author Comment

    by:Alan Huseyin Kayahan
       Thanks Les :). Actually I am the head of a countrywide operation and really have no time, sleep 3-4 hours a day. I coordinate an IBM SO but they were not able to figure that one out. I was sure that was possible by sub-interfacing but picture as not clear. I sent your suggestions to them but again no success. Then  I set it up by digging with the great help of yours, now all working,  but picture is not completely clear in my mind yet. I will draw the digram and will open it in a new question, because it is totally a new question :). You can not imagine how much I appreciate your time m8, thanks again.
        Also m8 I again need your help in question below,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now