ASA & Catalyst 3650, trunking sub-interfaces, having ASA interfaces on 3650
Posted on 2007-09-30
I have an ASA 5540 configured in datacenter. It has 2 site to site VPN tunnels, and 1 remote access VPN tunnel configured. Both site to site VPN tunnels ends on outside interface.
Here is what I have to do. I am asked to establish a site-to-site VPN tunnel to X location, and all VPN clients should access that X location. I am out of interfaces, and in this case, tunnel must be established on outside again, which means I have to permit traffic on same security interfaces (VPN clients and VPN peer, both outside). And I dont want to do that, totally unsecure (3000+ VPN clients will be able to talk to each other, no way!). Here is what I plan and need m8s' help in switching side.
I asked for a new global IP octet and I have x.x.x.64/28 now. I am up to establish l2l tunnel to x.x.x.78.
I want to create a VLAN on Catalyst (ports 30 to 40) and have these switch ports as additional interfaces for my ASA. I heard about "trunking" but the picture is not clear in my mind.
I created a sub-interface on DMZ port (Sub interface on outside is not a Cisco recommended action) as following.
zeus(config-if)# int gigabitEthernet 0/2.1
zeus(config-subif)# ip add x.x.x..78 255.255.255.240
zeus(config-subif)# nameif ASASub
zeus(config-subif)# no shu
zeus(config-subif)# vlan 10
If above configuration is correct in ASA side, please explain me what I should do in 3650 step by step. Which commands in 3650 CLI (explaination next to command will be much appreciated) should I enter, in which port I should plug the ASA and which port the internet (x.x.x.64/28) connection. (no VLAN is configured in 3650)