12 Replies Latest reply: May 16, 2012 7:29 AM by Irfan Sri RSS

    How to route 2 subnet with ASA?

    Irfan Sri

      Hi Guys,

       

      we have new side with a ASA firewall and a Layer 2 switch. layer 2 switch all port on default vlan (vlan1) and no any vlans configured, and vlan 1 ip address in 10.55.55.x . the L2  switch connected to ASA firewall inside interface. we need to configure two subnets on new side. ex 10.55.55.0 and 10.55.250.0.

      how can i configure the switch and firewall to talk each subnet ?

      new side connected to main side via Ipsec vpn tunnel using bothside ASA, we can ping 10.55.55.0 network devices from main office,

      L2 switch connected to inside interface of ASA and both subnet will be in inside interface of ASA. do i need to configure "same-security-traffic permit inter-interface" on firewall to  pass same subnet traffic on same interface?

       

      Regard

       

      Irfan

        • 1. Re: How to route 2 subnet with ASA?
          Steven Williams

          Maybe a quick draw up of the network would help. So from what I get from this is the new site will need to have both subnets? So you will need two vlans on the layer 2 switch, a trunk to the ASA, if you have 5510 or higher or ASA5505 with security plus license, and the ASA basically becomes the default gateways for those vlans. 

           

          "same-security-traffic permit inter-interface" - By default the ASA will allow higher level interfaces forward traffic to lower level interfaces, so I believe this option allows two interfaces with the same security level to communicate without the need for ACL's to allow traffic to pass to each other.

          • 2. Re: How to route 2 subnet with ASA?
            Irfan Sri

            Stave,

            Thanks for the reply . ya we need two subnet for new site.I can configure trunk on L2 switch, but how to configure asa inside interface as trunk port?

            • 3. Re: How to route 2 subnet with ASA?
              Sey

              Your ASA config will look similar to this:

               

              interface GigabitEthernet0/0

                no nameif

                no security-level

                no ip address

              interface GigabitEthernet0/0.10

                vlan 100

                nameif VLAN100

                security-level 100

                ip address 10.55.55.1 255.255.255.0

              interface GigabitEthernet0/0.20

                vlan 200

                nameif VLAN200

                security-level 100

                ip address 10.55.250.1 255.255.255.0

              same-security-traffic permit inter-interface

              same-security-traffic permit intra-interface

               

              Depending on the NAT configuration and version of ASA software, you may also need to prevent NATting of inter-vlan traffic:

               

              static (VLAN100,VLAN200) 10.55.55.0 10.55.55.0 netmask 255.255.255.0

              static (VLAN200,VLAN100) 10.55.250.0 10.55.250.0 netmask 255.255.255.0

              • 4. Re: How to route 2 subnet with ASA?
                Irfan Sri

                Hi Say,

                Thanks for your great help.  now im telnetting to inside interface of ASA (10.55.55.1) .

                so if i remove name if command and ip of inside interface, i will lost telnet connection rite? we have VPN to our new side using same ASA.  do i need to configure telnet to out side interface?

                • 5. Re: How to route 2 subnet with ASA?
                  Sey

                  so if i remove name if command and ip of inside interface, i will lost telnet connection rite?

                  That depends on the interface you telnetted to. Yes, it's safer to telnet (btw, why telnet and not ssh?) to outside interface when reconfiguring inside interface.

                  • 6. Re: How to route 2 subnet with ASA?
                    Irfan Sri

                    Sey,

                    i did configuration as u explained. and i had some issues, i cannot login or ping  to L2 switch.

                    my L2 switch have only 1 vlan (default), and all ports are in that vlan. so do i need to configure a vlan 55 and 250?.  before to configure ASA, i just add a vlan 250 on L2 switch. i didnt assign any swith ports.

                    my configaration  on ASA:-

                    interface Ethernet0/1

                    no nameif

                    no security-level

                    no ip address

                    !

                    interface Ethernet0/1.10

                    vlan 55

                    nameif VLAN55

                    security-level 100

                    ip address 10.55.55.1 255.255.255.0

                    !

                    interface Ethernet0/1.20

                    vlan 250

                    nameif VLAN250

                    security-level 100

                    ip address 10.55.250.1 255.255.255.0

                     

                    Thanks

                     

                    L2 switch config

                     

                    switch2970#show run
                    Building configuration...

                    Current configuration : 2043 bytes
                    !
                    version 12.2
                    no service pad
                    service timestamps debug uptime
                    service timestamps log uptime
                    no service password-encryption
                    !
                    !
                    !
                    aaa new-model
                    aaa authentication login default group tacacs+ enable
                    aaa authentication login vty group tacacs+ enable
                    aaa authentication login console group tacacs+ enable
                    aaa authentication enable default group tacacs+ enable
                    aaa authorization exec default group tacacs+ none
                    aaa authorization exec vty group tacacs+ none
                    aaa accounting exec default start-stop group tacacs+
                    !
                    aaa session-id common
                    ip subnet-zero
                    !
                    !
                    !
                    !
                    no file verify auto
                    spanning-tree mode pvst
                    spanning-tree extend system-id
                    !
                    vlan internal allocation policy ascending
                    !
                    interface GigabitEthernet0/1
                    switchport trunk encapsulation dot1q
                    switchport mode trunk
                    !
                    interface GigabitEthernet0/2
                    !
                    interface GigabitEthernet0/3
                    !
                    interface GigabitEthernet0/4
                    !
                    interface GigabitEthernet0/5
                    !
                    interface GigabitEthernet0/6
                    !
                    interface GigabitEthernet0/7
                    !
                    interface GigabitEthernet0/8
                    !
                    interface GigabitEthernet0/9
                    !
                    interface GigabitEthernet0/10
                    !
                    interface GigabitEthernet0/11
                    !
                    interface GigabitEthernet0/12
                    !
                    interface GigabitEthernet0/13
                    !
                    interface GigabitEthernet0/14
                    !
                    interface GigabitEthernet0/15
                    !
                    interface GigabitEthernet0/16
                    !
                    interface GigabitEthernet0/17
                    !
                    interface GigabitEthernet0/18
                    !
                    interface GigabitEthernet0/19
                    !
                    interface GigabitEthernet0/20
                    !
                    interface GigabitEthernet0/21
                    !
                    interface GigabitEthernet0/22
                    !
                    interface GigabitEthernet0/23
                    !
                    interface GigabitEthernet0/24

                     

                    !
                    interface Vlan1
                    ip address 10.55.55.xx 255.255.255.0
                    ip helper-address 10.150.xx.xx
                    no ip route-cache
                    !
                    interface Vlan250
                    no ip address
                    no ip route-cache
                    !
                    ip default-gateway 10.55.55.1
                    ip http server
                    tacacs-server host 10.150.xx.xx
                    tacacs-server directed-request
                    tacacs-server key xxxx
                    radius-server source-ports 1645-1646
                    !
                    control-plane
                    !
                    !
                    line con 0
                    password xxx
                    line vty 0 4
                    access-class 10 in
                    password xxx
                    line vty 5 15
                    access-class 10 in
                    password xxx
                    !

                    • 7. Re: How to route 2 subnet with ASA?
                      Sey

                      As network 10.55.55.0/24 belongs to VLAN 55, the management address of the L2 switch should be configured under SVI 55:

                       

                      interface Vlan1

                        no ip address

                      interface Vlan55

                        ip address 10.55.55.xx 255.255.255.0

                      end

                      • 8. Re: How to route 2 subnet with ASA?
                        Irfan Sri

                        Thanks again Sey,

                        can i configure Vlan 1 in ASA? then no need to configure Vlan 55 in L2 switch rite?

                        do i need to segment switch ports for each vlans? i mean who ever need to get subnet 55 will move switch ports to vlan 1 and (or vlan 55) and who need subnet 250, move switch ports to vlan 250.

                        im configuring L2 switch using telnet  , so if i use No ip address for vlan 1, then my telnet connection to switch will disconnect.  im in risk to config switch because there is no body to configure or power reset the switch at the location.

                         

                         

                         

                        I did some test configurations, but still im fail. always im loosing connectivity with L2 switch. after configuring  no nameif command for interface Ethernet0/1, i lost connection with L2 switch. even if i configure ip address for sub interfaces also no good result. my firewall config as follows and i have posted L2 switch configuration before.

                         

                        ASA Version 8.2(5)

                        !

                        hostname firewall

                        enable password fv0T0F4f

                        passwd  encrypted

                        names

                        !

                        interface Ethernet0/0

                        nameif outside

                        security-level 0

                        ip address xxxx 255.255.255.224

                        !

                        interface Ethernet0/1

                        no nameif

                        no security-level

                        no ip address

                        !

                        interface Ethernet0/1.10

                        vlan 1

                        nameif vlan1

                        security-level 100

                        ip address 10.55.55.1 255.255.255.0

                        !

                        interface Ethernet0/1.20

                        vlan 250

                        nameif VLAN250

                        security-level 100

                        ip address 10.55.250.1 255.255.255.0

                        !

                        i

                         

                         

                        ftp mode passive

                        dns server-group DefaultDNS

                        name-server 8.8.8.8

                        same-security-traffic permit inter-interface

                        same-security-traffic permit intra-interface

                        access-list inside_access_in extended permit ip any any

                        access-list outside_access_in extended permit ip any any

                        access-list VLAN250_access_in extended permit ip any any

                        pager lines 24

                        logging enable

                        logging asdm informational

                        mtu outside 1500

                        mtu vlan1 1500

                        mtu VLAN250 1500

                        icmp unreachable rate-limit 1 burst-size 1

                        icmp permit any outside

                        no asdm history enable

                        arp timeout 14400

                        access-group outside_access_in in interface outside

                        access-group VLAN250_access_in in interface VLAN250

                        dynamic-access-policy-record DfltAccessPolicy

                         

                         

                         

                        any help plz.

                         

                        Thanks

                        • 9. Re: How to route 2 subnet with ASA?
                          Sey
                          can i configure Vlan 1 in ASA? then no need to configure Vlan 55 in L2 switch rite?

                          You can do that if you want to. But do you really want that? Best practices state that we should not use VLAN 1 at all. I have a counter-question - do you need both subnets for users? If so, you can create additional management VLAN and a corresponding subnet - not necessarily VLAN 1!

                           

                          For example, let it be VLAN 99 and network 10.55.99.0/24. You create another subinterface on the ASA, then SVI 99 on the switch, and don't forget to change ip default-gateway on the switch to the IP address of ASA, i.e. 10.55.99.x

                          do i need to segment switch ports for each vlans? i mean who ever need to get subnet 55 will move switch ports to vlan 1 and (or vlan 55) and who need subnet 250, move switch ports to vlan 250.

                          That's right.

                          im configuring L2 switch using telnet  , so if i use No ip address for vlan 1, then my telnet connection to switch will disconnect.  im in risk to config switch because there is no body to configure or power reset the switch at the location.

                          Can your L2 switch support more than one SVI in the Up state? I mean if you create a new SVI and assign an IP address to it, will SVI 1 shutdown automatically? If it does not, no disconnects will occur until you change ip default-gateway. After that, you'll be able to telnet to the new management address 10.55.99.x

                          • 10. Re: How to route 2 subnet with ASA?
                            Irfan Sri

                            Hi sey,

                             

                            thanks for reply, i will try to remove management interface of L2 switch when i got the permission. other thing is when i create sub interface on ASA with ip 10.55.250.1, i cannot ping from switch. but i can ping to 10.55.55.1.

                            when i check show interface statesoutput, then i found main interface and subinterface mac addresses are same. is it ok to leave that or have to change it?  (i changed the config of ASA , i added ip 10.55.55.1 to inside interface for untagged packet and created a subinterface with vlan 250 (10.55.250.1) for tagged packet for testing as follows, because still i cannot ping to 10.55.250.1 from switch)

                             

                            I just test some configuration as followed link for tagged and untagged packet , but still i cannot ping from switch to sub interface. we didnt attach any devises with subnet 250 to switch for better test.

                             

                            https://learningnetwork.cisco.com/thread/10502

                             

                            interface Ethernet0/0

                            nameif outside

                            security-level 0

                            ip address xx.xx

                            !

                            interface Ethernet0/1

                            nameif inside

                            security-level 100

                            ip address 10.55.55.1 255.255.255.0

                            !

                            interface Ethernet0/1.20

                            vlan 250

                            nameif vlan250

                            security-level 100

                            ip address 10.55.250.1 255.255.255.0

                            !

                             

                            ftp mode passive

                             

                            same-security-traffic permit inter-interface

                            same-security-traffic permit intra-interface

                            access-list inside_access_in extended permit ip any any

                            access-list outside_access_in extended permit ip any any

                            access-list vlan250_access_in extended permit ip any any

                            pager lines 24

                            logging enable

                            logging asdm informational

                            mtu outside 1500

                            mtu inside 1500

                            mtu vlan250 1500

                            icmp unreachable rate-limit 1 burst-size 1

                            icmp permit any outside

                            icmp permit any inside

                            icmp permit any vlan250

                            no asdm history enable

                            arp timeout 14400

                            access-group outside_access_in in interface outside

                            access-group inside_access_in in interface inside

                            access-group vlan250_access_in in interface vlan250

                            route outside 0xxx

                            timeout xlate 3:00:00

                            • 11. Re: How to route 2 subnet with ASA?
                              Sey
                              other thing is when i create sub interface on ASA with ip 10.55.250.1, i cannot ping from switch. but i can ping to 10.55.55.1.

                              This is normal. The thing is your switch is in 10.55.55.0/24 subnet, and as such can ping 10.55.55.1 only. ASA is not a router, that's why you cannot ping IP address of another interface.

                              when i check show interface statesoutput, then i found main interface and subinterface mac addresses are same. is it ok to leave that or have to change it?

                              That's allright as long as those subnets are in different VLANs. MAC addresses should be unique within a broadcast domain.

                              • 12. Re: How to route 2 subnet with ASA?
                                Irfan Sri

                                Thanks for your help Sey,

                                 

                                your way of reply is so clear for me, i have configured switch port 24 for subnet 250, still this network is not started for production. so i have to wait till something to connect to port 24 and need to see whether it can talk with  subnet 55 or not.

                                 

                                I appreciate your help