Router on a Stick - Cisco ASA 5510 Security Plus with VLAN Trunk

Posted on 2009-04-14
Medium Priority
Last Modified: 2012-05-06
Curious on some resources and direction on setting up a Cisco ASA5510 to route and provide firewall protection for a trunk of 12 VLAN's. We will have 11 remote offices and small branches connected to the corporate office via direct fiber and line-of-site wireless, and all will be dropped into the corporate office on (1) physical trunk. I would like to plug this in directly to the ASA5510, versus using L3 switches, and would like some resources on setting the routing up correctly.

Question by:Tercestisi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 43

Accepted Solution

JFrederick29 earned 2000 total points
ID: 24141311
Trunk to the ASA and create a subinterface for each VLAN.  Routing will be local between subinterfaces unless each remote office will have a router.  If so, you'll need to add routes to the subnets beyond the remote office router on the ASA.  The remote office clients (if directly connected) will use the appropriate subinterface IP address as their default gateway or if using a router, put a default route on the router pointing to the ASA subinterface.  You'll probably want to set each subinterface to the same security level and enable "same-security-traffic permit inter-interface" so all VLAN's can communicate.  You can restrict access if desired using access-lists on the subinterfaces.  Setup outbound NAT for the remote networks when destined to the Internet and that should be it.

Author Comment

ID: 24141458
Great, you confirmed what I was thinking other than the same security levels. Many of the VLAN's should not talk to eachother, save for a specific IP address on only (1) other VLAN. Is it best to still keep the security levels the same or to configure them to be different in this scenario?
LVL 43

Expert Comment

ID: 24141536
I would keep them the same.  You can still use access-lists on every subinterface to control access between VLAN's but you don't have to worry about higher/lower security levels.  It simplifies the configuration.

Author Comment

ID: 24141573
Sounds good; thanks!
LVL 43

Expert Comment

ID: 24141581
No problem, glad to assist.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question