Link to home
Create AccountLog in
Avatar of techniasupport
techniasupportFlag for Sweden

asked on

Cisco ASA 5510/3750G Multiple VLAN setup

Hi,

I need help to setup Cisco 3750G switches with ASA 5510. I have two ASA 5510 in Active/Standby mode. They are configured and working well with following configuration. First interface connected to internet (outside) with public IP. Second interface connected to DMZ network. Third interface connected to inside network. Fourth interface connected to distribution switch(Layer 2 switch) for different vlans .

Now we want to all routing between all vlans and inside network through Cisco 3750G switch. Routing between DMZ through ASA. I have created all vlans on Cisco 3750G switch.

now my question what ip route i can use on 3750 switch to communication with dmz network and internet because i am using trunk port between ASA and 3750 Switch. Trunk port has no ip that i can use for route the traffic.

now i want to setup like this. ASA first interface connect to outside for internet, second interface connect to dmz, third interface nothing, fourth interface connect to 3750 as trunk port.
is i need to make fourth interface as trunk or some other method?

Thanks in advance
Avatar of terrygreensill
terrygreensill
Flag of United Kingdom of Great Britain and Northern Ireland image

You just need to give the ASA an IP Address on each VLAN interface, then use this IP to your traffic to.
Avatar of techniasupport

ASKER

Hi Terrygreensill,

Thanks for quick reply. This mean i need to use static route on 3750G for each vlan to browser the internet and communicate with DMZ network on ASA. if possible can you explain with example?
is i also need to use static route on ASA for communication between DMZ and other vlans on 3750G?

Thanks in advance
if you want the switch to route the traffic then give the VLAN on the switch an IP address which will then be the DG for nodes on that VLAN.

If you want the ASA to route the traffic and firewall off the VLAN then add an interface for that VLAN on the interface that is the trunk. this will then be your nodes DG on that VLAN.

You will need to add routes on your ASA and Switch where appropriate.

If you could post more info on IP's and VLAN's then I can post some examples that would be relevant
I want the switch to route the traffice between below vlans.
I have created the four VLANs on switch.
insdie vlan110 with ip 172.16.5.3/25 (switch port 1/0/5)
server vlan120 with ip 192.168.x.3/24 (switch port 1/0/6)
training vlan130 with ip 172.16.4.3/24 (switch port 1/0/7)
vistor vlan140 with ip 172.16.3.3/24 (switch port 1/0/8)

switch ports 1/0/1 and 1/0/2 are trunk with ASA active and standby.
we have DHCP and DNS servers on server vlan120.

On ASA i have DMZ in native vlan with ip 172.16.0.1/24. I want the ASA to route the traffic between DMZ and VLANs on switch. ASA also NAT the traffic for internet access of some servers in Server vlan120 on switch. ASA also provide the internet to all vlans on switch.


 I have also created all vlans on ASA. i don't know it is correct or not.

Active ASA
insdie vlan110 with ip 172.16.5.1/25 (switch port 1/0/5)
server vlan120 with ip 192.168.x.1/24 (switch port 1/0/6)
training vlan130 with ip 172.16.4.1/24 (switch port 1/0/7)
vistor vlan140 with ip 172.16.3.1/24 (switch port 1/0/8)

Standby ASA
insdie vlan110 with ip 172.16.5.2/25 (switch port 1/0/5)
server vlan120 with ip 192.168.x.2/24 (switch port 1/0/6)
training vlan130 with ip 172.16.4.2/24 (switch port 1/0/7)
vistor vlan140 with ip 172.16.3.2/24 (switch port 1/0/8)

Please guide me, is this setup correct?
ASKER CERTIFIED SOLUTION
Avatar of terrygreensill
terrygreensill
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Routing already enabled on switch. i will test other setting today.
one more question about DHCP server.
is i need to add ip helper-address 192.168.x.x command on each vlan to get ip from DHCP server or only on server vlan120?

SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
routing is work between all vlans through switch and between dmz and all vlans through ASA.

Internet is working inside vlan but not on other vlans like server,training,visitor.
please, guide me what configuration i am missing?
Please check your Dynamic NAT Rules, and your NAT Exempt rules on the ASA.

Also check your firewall rules/access lists are allow the traffic.

For server vlan120
dynamic NAT is
source 192.168.x.0/24 interface outside address outside interface public address
exempt rules
source 192.168.x.0/24 destination 172.16.0.0/16 interface outbound
source 192.168.x.0/24 destination 192.168.0.0/16 interface outbound

Access list is not blocking anything at the moment (check through real time logs, log level debug)
Could you send the routing table on both ASA and switch. Also what is your default GW set on the nodes?
switch3750#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.5.1 to network 0.0.0.0


C       172.16.5.0/24 is directly connected, Vlan110
C       172.16.4.0/21 is directly connected, Vlan130
C       172.16.3.0/24 is directly connected, Vlan140
C    192.168.5.0/24 is directly connected, Vlan120
S*   0.0.0.0/0 [1/0] via 172.16.5.1


ASA

# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is x.x.x.x to network 0.0.0.0 (x.x.x.x are replaced the public ip address)

C    172.16.5.0 255.255.255.0 is directly connected, inside
C    172.16.0.0 255.255.255.0 is directly connected, dmz
S    192.168.5.0 255.255.255.0 [1/0] via 172.16.5.3, inside
C    x.x.x.x 255.255.255.x is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside
S    172.16.0.0 255.255.0.0 [1/0] via fw-se-sto.technia.com, outside
S    192.168.0.0 255.255.255.0 [1/0] via fw-se-sto.technia.com, outside

i set the following GW on nodes.
insidevlan nodes 172.16.5.3
servervlan nodes 192.168.5.3
DMZ network nodes 172.16.0.1
training nodes 172.16.4.3
visitor nodes 172.16.3.3
now internet is also working. i was configure the Dynamic NAT and NAT Exempt rules on wrong interface. now i configured on inside interface for other vlans as well. only thing remain is DHCP server testing that i will do in live network because i don't have dhcp server in test environment.

Thanks for help
Happy to help good luck when going live.
Hi Terrygreensill,

i am facing one problem after go live. when i applied access list on switch interfaces, traffic from outside to servers are blocked. we have some servers on vlan server that are nat in firewall to access from outside.
without apply access on server vlan they are accessible. https port is opened in server vlan access list.
i opened the https port from any to any but it still not working. Please can you guide me.

Not sure why you are appliing access lists on the Switch??

This was not in your test design?

Or am I miss reading. Please Post the access list you are appyling and to which device/interface.
i am applying ACL to 3750 VLAN interfaces. All other communication working fine after apply the ACL. only access of NAT server block. i even ping the public ip without any problem. ASA configuration working fine. Problem with 3570 ACL.

i am applying access list on whitch to secure the communication between vlans.

i figure out the problem. i was trying access list like this
ip access-list extended tcp any any eq 443

now changed the access list like this and it work
ip access-list extended tcp any eq 443 any

thanks
Ok but if you are wanting to protect/firewall off traffic between the VLAN's I would have used the ASA, So all your access list are on the ASA and not asking the switch to do firewall stuff.
Traffic between VLANs routed through Switch and then how ASA manage the protection between them. Because no traffic to ASA when communication between vlans. i used ASA access lists to protect traffic between internet/DMZ to VLANs.
To enable the firewall to firewall traffice between the VLAN's you would have to alter the way you have setup the network.

I.E. Put the IP address on the ASA and use this as the default gatway for your clients. An dont put an IP address on the switch for the VLAN. Obviously you will need to adjust your routing as well.

Regards,
Then all traffic routed through ASA and that we don't want. we only send internet/DMZ traffic to ASA. This due to performance of ASA. Previously ASA handle all traffic.