Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts)
3343 Views 12 Replies Latest reply: May 16, 2012 7:29 AM by Irfan Sri RSS

Currently Being Moderated

How to route 2 subnet with ASA?

May 8, 2012 2:53 PM

Irfan Sri 100 posts since
Feb 28, 2012

Hi Guys,

 

we have new side with a ASA firewall and a Layer 2 switch. layer 2 switch all port on default vlan (vlan1) and no any vlans configured, and vlan 1 ip address in 10.55.55.x . the L2  switch connected to ASA firewall inside interface. we need to configure two subnets on new side. ex 10.55.55.0 and 10.55.250.0.

how can i configure the switch and firewall to talk each subnet ?

new side connected to main side via Ipsec vpn tunnel using bothside ASA, we can ping 10.55.55.0 network devices from main office,

L2 switch connected to inside interface of ASA and both subnet will be in inside interface of ASA. do i need to configure "same-security-traffic permit inter-interface" on firewall to  pass same subnet traffic on same interface?

 

Regard

 

Irfan

  • Steven Williams 3,266 posts since
    Jan 26, 2009
    Currently Being Moderated
    1. May 8, 2012 5:42 PM (in response to Irfan Sri)
    Re: How to route 2 subnet with ASA?

    Maybe a quick draw up of the network would help. So from what I get from this is the new site will need to have both subnets? So you will need two vlans on the layer 2 switch, a trunk to the ASA, if you have 5510 or higher or ASA5505 with security plus license, and the ASA basically becomes the default gateways for those vlans. 

     

    "same-security-traffic permit inter-interface" - By default the ASA will allow higher level interfaces forward traffic to lower level interfaces, so I believe this option allows two interfaces with the same security level to communicate without the need for ACL's to allow traffic to pass to each other.

  • Sey 1,388 posts since
    May 4, 2010
    Currently Being Moderated
    3. May 9, 2012 8:41 AM (in response to Irfan Sri)
    Re: How to route 2 subnet with ASA?

    Your ASA config will look similar to this:

     

    interface GigabitEthernet0/0

      no nameif

      no security-level

      no ip address

    interface GigabitEthernet0/0.10

      vlan 100

      nameif VLAN100

      security-level 100

      ip address 10.55.55.1 255.255.255.0

    interface GigabitEthernet0/0.20

      vlan 200

      nameif VLAN200

      security-level 100

      ip address 10.55.250.1 255.255.255.0

    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface

     

    Depending on the NAT configuration and version of ASA software, you may also need to prevent NATting of inter-vlan traffic:

     

    static (VLAN100,VLAN200) 10.55.55.0 10.55.55.0 netmask 255.255.255.0

    static (VLAN200,VLAN100) 10.55.250.0 10.55.250.0 netmask 255.255.255.0

  • Sey 1,388 posts since
    May 4, 2010
    Currently Being Moderated
    5. May 9, 2012 11:18 AM (in response to Irfan Sri)
    Re: How to route 2 subnet with ASA?

    so if i remove name if command and ip of inside interface, i will lost telnet connection rite?

    That depends on the interface you telnetted to. Yes, it's safer to telnet (btw, why telnet and not ssh?) to outside interface when reconfiguring inside interface.

  • Sey 1,388 posts since
    May 4, 2010
    Currently Being Moderated
    7. May 11, 2012 6:47 AM (in response to Irfan Sri)
    Re: How to route 2 subnet with ASA?

    As network 10.55.55.0/24 belongs to VLAN 55, the management address of the L2 switch should be configured under SVI 55:

     

    interface Vlan1

      no ip address

    interface Vlan55

      ip address 10.55.55.xx 255.255.255.0

    end

  • Sey 1,388 posts since
    May 4, 2010
    Currently Being Moderated
    9. May 12, 2012 12:11 AM (in response to Irfan Sri)
    Re: How to route 2 subnet with ASA?
    can i configure Vlan 1 in ASA? then no need to configure Vlan 55 in L2 switch rite?

    You can do that if you want to. But do you really want that? Best practices state that we should not use VLAN 1 at all. I have a counter-question - do you need both subnets for users? If so, you can create additional management VLAN and a corresponding subnet - not necessarily VLAN 1!

     

    For example, let it be VLAN 99 and network 10.55.99.0/24. You create another subinterface on the ASA, then SVI 99 on the switch, and don't forget to change ip default-gateway on the switch to the IP address of ASA, i.e. 10.55.99.x

    do i need to segment switch ports for each vlans? i mean who ever need to get subnet 55 will move switch ports to vlan 1 and (or vlan 55) and who need subnet 250, move switch ports to vlan 250.

    That's right.

    im configuring L2 switch using telnet  , so if i use No ip address for vlan 1, then my telnet connection to switch will disconnect.  im in risk to config switch because there is no body to configure or power reset the switch at the location.

    Can your L2 switch support more than one SVI in the Up state? I mean if you create a new SVI and assign an IP address to it, will SVI 1 shutdown automatically? If it does not, no disconnects will occur until you change ip default-gateway. After that, you'll be able to telnet to the new management address 10.55.99.x

  • Sey 1,388 posts since
    May 4, 2010
    Currently Being Moderated
    11. May 16, 2012 12:54 AM (in response to Irfan Sri)
    Re: How to route 2 subnet with ASA?
    other thing is when i create sub interface on ASA with ip 10.55.250.1, i cannot ping from switch. but i can ping to 10.55.55.1.

    This is normal. The thing is your switch is in 10.55.55.0/24 subnet, and as such can ping 10.55.55.1 only. ASA is not a router, that's why you cannot ping IP address of another interface.

    when i check show interface statesoutput, then i found main interface and subinterface mac addresses are same. is it ok to leave that or have to change it?

    That's allright as long as those subnets are in different VLANs. MAC addresses should be unique within a broadcast domain.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)