ASA5505 VLANs to LAN configuration
I have 3 internal subnets: 192.168.200.0/24, 192.168.201.0/24, 192.168.202.0/24
my current network config:
outside<->Firewall<->Insid
L3 Cisco switch configured with the following vlans: 200, 201, 202 (and an additional management vlan)
I want to replace the firewall with a new ASA5505
I've configured a trunk on E0/1:
**************************
interface Ethernet0/1
description TRUNK to LAN
switchport mode trunk
**************************
and created 3 vlans:
**************************
interface Vlan200
description LAN@200
nameif inside200
security-level 100
ip address 192.168.200.222 255.255.255.0
!
interface Vlan201
description LAN@201
nameif inside201
security-level 100
ip address 192.168.201.222 255.255.255.0
!
interface Vlan202
description LAN@202
nameif inside202
security-level 100
ip address 192.168.202.222 255.255.255.0
**************************
once I connect E0/1 to a trunk port on my L3 switch, would each of my internal subnets be able to access the firewall?
is there a better recommended configuration?
I have a duplicate backup L3 switch, is it possible to config a 2nd ASA 5505 port as a fail over trunk and connect it to the secondary L3?
my current network config:
outside<->Firewall<->Insid
L3 Cisco switch configured with the following vlans: 200, 201, 202 (and an additional management vlan)
I want to replace the firewall with a new ASA5505
I've configured a trunk on E0/1:
**************************
interface Ethernet0/1
description TRUNK to LAN
switchport mode trunk
**************************
and created 3 vlans:
**************************
interface Vlan200
description LAN@200
nameif inside200
security-level 100
ip address 192.168.200.222 255.255.255.0
!
interface Vlan201
description LAN@201
nameif inside201
security-level 100
ip address 192.168.201.222 255.255.255.0
!
interface Vlan202
description LAN@202
nameif inside202
security-level 100
ip address 192.168.202.222 255.255.255.0
**************************
once I connect E0/1 to a trunk port on my L3 switch, would each of my internal subnets be able to access the firewall?
is there a better recommended configuration?
I have a duplicate backup L3 switch, is it possible to config a 2nd ASA 5505 port as a fail over trunk and connect it to the secondary L3?
Last Comment
The ASA 5505 only supports 3 VLANs in the base license version (inside, outside, and restricted DMZ). You will need to ensure that you get the security plus version to be able to configure trunking.
Is there a particular reason that you want the ASA to trunk rather than just using the layer 3 switches to do the routing?
Is there a particular reason that you want the ASA to trunk rather than just using the layer 3 switches to do the routing?
ASKER
thank you both.
the NAT explanation is clear and I do have the Plus license.
clokendagger - maybe I wasn't clear enough or missed something in my question:
I prefer having my L3 switch doing the routing (isn't it why I payed Cisco all these big bucks?)
the thing is that I'm not sure how the L3 switch and ASA should be connected. the reason I was thinking Trunk is that all data from all VLANs can go via trunk.
what you're saying (and just correct me if I miss understood again) is that ASA should use one real LAN IP (such as 192.168.200.222) on the inside interface and that would become the default route on the L3
the NAT explanation is clear and I do have the Plus license.
clokendagger - maybe I wasn't clear enough or missed something in my question:
I prefer having my L3 switch doing the routing (isn't it why I payed Cisco all these big bucks?)
the thing is that I'm not sure how the L3 switch and ASA should be connected. the reason I was thinking Trunk is that all data from all VLANs can go via trunk.
what you're saying (and just correct me if I miss understood again) is that ASA should use one real LAN IP (such as 192.168.200.222) on the inside interface and that would become the default route on the L3
Yes, the only reason that I would terminate the VLANs on the ASA would be if each VLAN had a different security level and I wanted to restrict access between VLANs. If all VLANs can communicate with each other, then put them behind one interface.
ASKER
and configure it with a real IP as in my example?
You can although I prefer layer 3.
Use 192.168.255.0 for the network connecting the ASA to the switch and route all three networks to the switch on the ASA.
Be sure to include all three (200, 201, 202) in your NAT rules and exclude the 255 net.
Use 192.168.255.0 for the network connecting the ASA to the switch and route all three networks to the switch on the ASA.
Be sure to include all three (200, 201, 202) in your NAT rules and exclude the 255 net.
ASKER
I lost you...
how would the switch & ASA "talk" if the connecting port is not either a trunk or a real LAN address?
did you mean creating a 255 vlan on ASA and assign it to the port connected to the switch, then NATing 200\201\202 on that port? if so - what would you expect to see on the switch side (trunked port or IP address?)
how would the switch & ASA "talk" if the connecting port is not either a trunk or a real LAN address?
did you mean creating a 255 vlan on ASA and assign it to the port connected to the switch, then NATing 200\201\202 on that port? if so - what would you expect to see on the switch side (trunked port or IP address?)
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
thank you so much.
I'll delete the current vlans, create this new config and hook it up to my network.
I'll delete the current vlans, create this new config and hook it up to my network.
ASKER
thinking of it I have one more question:
why do I need vlan 255, can't I just use IPs and routing:
ASA port=> 192.168.255.1 255.255.255.252
Switch port=> 192.168.255.2 255.255.255.252
and the static routes are there anyway on both ends.
what is the added value of vlan 255?
why do I need vlan 255, can't I just use IPs and routing:
ASA port=> 192.168.255.1 255.255.255.252
Switch port=> 192.168.255.2 255.255.255.252
and the static routes are there anyway on both ends.
what is the added value of vlan 255?
Later releases of the ASA software required that the IP address be attached to a vlan and the interface be specified as to which vlan # it belonged.
With what you are trying to accomplish, I don't believe that you need to vlan the port on the switch.
With what you are trying to accomplish, I don't believe that you need to vlan the port on the switch.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html#wp1039276
All three VLANs can go out the public interface as long as you remember to allow those nets to do NAT (and do no nat when "talking" to each other):
access-list NONAT extended deny ip 192.168.200.0 255.255.252.0 192.168.200.0 255.255.252.0
nat (inside200) 0 access-list NONAT
nat (inside201) 0 access-list NONAT
nat (inside202) 0 access-list NONAT
nat (inside200) 1 192.168.200.0 255.255.255.0
nat (inside201) 1 192.168.201.0 255.255.255.0
nat (inside202) 1 192.168.202.0 255.255.255.0