Cisco ASA VLANs and Sub-Interfaces

Hello Brandon

If I understood correctly, you want to segment your internal networks, whether they are DMZ or inside networks, so that you can more appropriately manage traffic. Well, you can always create a second DMZ as you mention, by simply creating another subnet and configuring it on another port of the ASA.

But in general, you should do the segmentation of your internal networks using internal network devices such as switches and routers. Keep switching, routing, and segmentation separate from the firewall functionalities provided by the ASA. Keep the ASA configuration as simple as possible, keeping only one inside, one DMZ, and one outside interface whenever possible.

I hope this has been helpful!

Laz

Thanks Laz I will keep it simple.

Laz,

Please clarify here for Vlan 15 and the routing from ASA to the router and outside. I don’t see Vlan 15 in the diagram so I wanted to make sure I understood this correctly.

Router has 4 sub-interfaces
Inside Vlan 15
Outside to isp
DMZ Vlan 30
Vlan 20

The default routes from router to ASA should look like this
Ip route 192.168.3.0 255.255.255.0 192.168.15.2
Ip route 192.168.2.0 255.255.255.0 192.168.15.2
Ip route 192.168.1.0 255.255.255.0 192.168.15.2

The asa would have a static route from outside to GW
Route outside 5.5.5.5 5.5.5.6 these are place holder IPS for public
Then route DMZ 0.0.0.0 0.0.0.0 192.168.15.1

Does this look right because I have put this into my devices and something is missing because it’s not working I have no connection to the outside from neither Vlan 10 or 20

Hello Brandon

In the suggested changes, I introduced VLAN 15 as the VLAN that is directly connected to the Inside interface of the firewall, as shown in the following diagram:

Now if you’re using your topology, where everything goes through the switch, then the router should have 3 subinterfaces. The outside to ISP should not be included as that is the responsibility of the ASA. Otherwise you are bypassing the ASA to get to the Internet, something that defeats the purpose of the firewall.

Now in the router, all you need is a default route that points to the inside interface of the ASA. That way all traffic to the internet and to the DMZ will go via the ASA.

The ASA should have a route to each of the subnets of VLAN 10 and VLAN 20 pointing to the IP address of the VLAN 15 subinterface on the Router. This way, traffic can be routed back to the devices that made the initial communication to the DMZ or the Internet. I believe this is what you are missing in your configuration.

Finally, the ASA should have a default route to the Internet.

I hope this has been helpful!

Laz

Laz,

I will review my configs again today. The diagram and explanation will help as I thought I had done exactly what your suggesting in your lastest post. However, I do. Have a question as to why it needs to be a default route? Will the static routes that I listed not work just the same maybe that’s the issue. My question is why what is so significant about default route compared to one that is network specific.

Ip route 0.0.0.0 0.0.0.0 10.15.1.2
Rather I have
Ip route 192.168.1.0 255.255.255.0 10.15.1.2

As an example for the 10 network why would that not be just as good ?

Laz or Rene,

This is really troublesome as I’ve went back and reconfigured my devices to see if I could get everything to work. I’ve now successfully got multiple vlans running to the ASA and out to the internet. However, I have now managed to send all traffic out of the Inside to the outside rather than the web server traffic to the DMZ. so I’m not sure why or how but the default route explains alot of it is my best evaluation from all of this. If I send traffic from the 10 network to the inside this doesn’t work if I route a default route all traffic to the inside everything works. As I explained in my example before with the routing I have setup static routes from the ASA back to the Router and setup static route from the router to the ASA but not sure how or why it doesn’t work other than with a default route ??

So now I need to determine how I can get the VLAN 28 web server network to route to the DMZ on VLAN 30 and send all the other vlans to the inside interface.

This is what I tried to use

Router
ip route 10.10.100.0 255.255.255.0 10.30.1.1
ASA
DMZ 10.10.100.0/24 10.30.1.2

Router
ip route 10.10.1.0 255.255.255.224 10.15.1.2
ip route 10.20.1.0 255.255.255.224 10.15.1.2
ASA
Inside 10.10.1.0/27 10.15.1.1
inside 10.20.1.0/27 10.15.1.1

Hello Brandon

The specific route will work just fine, there’s no rule that says you shouldn’t use it. However, the logic behind the default route is that this allows all VLANs (specifically 10 and 20) to reach the internet using the Inside interface of the ASA as the next hop. With your config, you’ll be able to reach the DMZ, but not the Internet. It really depends on what you want to achieve.

Now as for your issue of getting VLAN 28 web server network to route to the DMZ, I believe that through the various posts we’ve written, I’ve lost the original topology that you are actually using. Can you restate the issue with all of your information (subents VLANs etc) so that we can take a closer look?

I hope this has been helpful!

Laz


Laz,
This is the diagram we were originally using or ended up with. Since I have been able to get everything working in this diagram I was trying to add another Vlan for the web server and VPN to the diagram which is Vlan 28 going to be 2 different server IPs maybe 3 hosting these services.
I think the right thing to do here is to push everything from servers over the DMZ since I want public Access to the inside to the web server for file sharing web hosting and VPN access. However, with the default route of pushing everything to Vlan 15 ass interface which is the inside no traffic is being sent over the DMZ interface but instead all over the inside.

Hello Brandon

I’m still not clear as to where VLAN 28 will be on the diagram, but like I said before, you can use whatever routing gives you the results you need. The only reason I used a default route in the router is because based on this diagram, all destinations that are not in VLAN 10 or VLAN 20 must be routed via the connection to the firewall, since that is the only other path, to the DMZ, to the Internet, and to any other networks you may have. This results in correct routing with only a single command.

If however based on your topology with VLAN 28, you require additional routing commands, that is fine as well.

I hope this has been helpful!

Laz

Laz,

Sorry for the confusion the Vlan 28 is out with Vlan 10 and 20 but only my servers are on this vlan. I know it’s not depicted in the diagram and I don’t have whatever software your using to make the fancy diagrams so I couldn’t edit it. Anyways would it make sense to route the server traffic over the DMZ since I would be putting in an acl to allow it to have access from public. I’m trying to figure out how to do that correctly. One server is for web hosting so I have added an acl that will allow http and https from the outside in to the public server. I’m trying to determine the best way to setup vpn services hosted RAS on another server and allow them access to the network resources like file sharing when connected on VPN. Would it be better and easier to host and setup vpn services thru the ASA or with the Windows Server?

Hello Brandon

Thanks for the clarification. If you are placing VLAN 28 behind the router in the diagram, then it is not possible to “route the server traffic over the DMZ” because the servers are not in the DMZ. You would actually have to place those servers within the DMZ itself.

image

Anything that hangs off of the INSIDE interface, including VLAN 28 as shown above, must be routed via the INSIDE interface, and be treated as INSIDE traffic. If you want the servers in VLAN 28 to be part of the DMZ, you have to actually place them in VLAN 30.

Of course you can always add another router to the DMZ port, and place multiple VLANs behind it, similar to the router connected to the INSIDE interface of the ASA. Then traffic from all VLANs behind that router will be treated like DMZ traffic, since they would be routed via the DMZ interface of the ASA.

I hope this has been helpful!

Laz

Okay I think this has caused another issue though because if I move my web servers to VLAN 28 and change everything to reflect to make the DMZ 28 for the ip scheme. I now still have a default route pushing all traffic to the inside interface from the router to the ASA. If I try to modify this route to network specific route to the 10.15.1.2 ASA inside interface then no traffic is passed out to the internet and everything stops working so the traffic on VLAN 28 is still not pushing over the DMZ with this configuration??

Hello Brandon

What’s important to note here is that any servers you want to be treated with the security that the DMZ provides must be connected to the DMZ port. If you want multiple subnets/VLANs to be treated as DMZ, then you need another router connected to the DMZ port behind which you can place as many subnets/VLANs as you like.

In order to help you more effectively, can you share your current topology, VLANs, and IP address ranges with us so that we can help troubleshoot your issues more specifically?

I hope this has been helpful!

Laz

Laz,

I’m using the exact topology you have helped me design with a few small tweaks to the DMZ recently changed from Vlan 30 to 28 to prevent from so many other changes across the rest of my devices.

So I have another router ready to add to this scenario to my lab equipment but I don’t know where your saying to implement it or how exactly with everything else. So I have Vlans 10, 20 routing to the inside interface and NaT is working wonderful with this config. I currently have Vlan 28 on same switch and the sub int setup on the previous router but I understand the problem but I don’t could I use the 2nd interface on the router or does it need to be a completely different one? If a completely different one then is it plugged into the switch and has only Vlan 28 configured and the default route to the DMZ interface which is currently
10.10.100.10/24
Router is 10.10.100.1/24
Web server 1 is 10.10.100.118
SFTP / VPN is 10.10.100.115

These are the two servers I need to figure out how to configure the routes, ACLS, to allow traffic from public to the inside ? Also I don’t know if it makes it easier if I add in I have a 2nd ASA available and additional public static IPS to use.

Vlan 28 10.10.100.0/24
Vlan 10 10.10.1.0/27
Vlan 20 10.20.1.0/27
Vlan 12 10.12.1.0/26 not in use yet but plan to use for wifi

Hello Brandon

Let me clarify a couple of things. I had suggested to install another router to connect to the DMZ interface only as a solution to placing two or more VLANs behind the DMZ (just like you have multiple VLANs behind the Inside interface). Since this is not the case, and the web and VPN servers are in the same VLAN (28) then we don’t need that. Based on your description, this is the topology I have come up with:

image

Now on the Router on a stick, you would have a default route to 10.15.1.2 since everything (Internet, DMZ, the rest of the world) is accessible only via the inside interface of the ASA. Here you can specify something more specific, like the IP addresses of the servers, but it will actually make no difference in the functionality of the network.

Secondly, you would have the web and VPN servers hanging off of the DMZ interface. Now in order for the ASA to route traffic appropriately, you will have to do the following:

route 10.10.1.0/27 via 10.15.1.1
route 10.20.1.0/27 via 10.15.1.1
route 10.12.1.0/27 via 10.15.1.1
route 0.0.0.0 via Internet next hop IP

The rest of the networks including 10.15.10.0/24 and 10.10.100.0/24 are directly connected, so no additional routing is necessary. You must verify that the servers are using 10.10.100.10 (the DMZ interface) as their default gateway.

Finally, in order to get the servers accessible from the public to the DMZ, you can either employ Static NAT or NAT port forwarding. These two lessons describe these features in detail:


You can use a second ASA in the event that you want to introduce redundancy in an active/standby failover situation. You can find out more about this here:

I hope this has been helpful!

Laz

I am having an issue with my ASA, in which my VLANs are not passing along from my 3750X Switch stack onto my 5525X ASA. I attempted to configure my switch port to be trunked while allowing all VLANs to traverse then set my physical ASA port to be a subinterface with the corresponding VLAN IPs, but when I pinged from the ASA/Switch I could not reach either interface.

Hello Cory

From your description, you seem to have followed the correct procedure. It’s most likely a small configuration detail that you will have to troubleshoot and work out. One thing you should keep in mind when configuring this, is that unlike router on a stick, the physical interface of the ASA must have no security zone configured, while a security zone must be configured on each of the subinterfaces. This is a common misconfiguration in such implementations, so I thought I’d mention it here.

You can take a look at this lesson which details such a configuration and compare it with yours. This may help you in your troubleshooting procedures.

I hope this has been helpful!

Laz

1 Like

I see there are articles on how to configure Intervlan routing using a L3 Switch or Router, also articles about using the ASA to do subinterfaces… Is it possible to combine them both and would the best way of going about this is to use ACLs on the ASA?

Imagine a small branch site with say only four VLANs, these endpoints connect into a L2 switch, with the switch connected to the ASA on a single physical interface/port. If the ASA can be configured to support five subinterfaces, and the appropriate ACLs configured for each of these corresponding five VLANs, would it effectively be like using the ACL as a router to handle the intervlan stuff that the L2 switch cannot do? In this case the ASA itself connects to the outside to a SD-WAN endpoint and therefore cannot be another router in between them.

Hello Bo

What you are describing is using the ASA as the router between VLANs on an L2 switch. This is exactly what is being described in this lesson:

What I am not clear about is what you mean when you say:

ACLs are simply filtering mechanisms that will either allow or deny packets of specific source or destination addresses or ports. ACLs don’t route traffic. The ASA itself routes traffic. So in the scenario you are describing, it is the ASA that is routing between the VLANs, something that the L2 switch cannot do. Does that make sense?

I hope this has been helpful!

Laz

Hello,
In this lesson, we use VLANs for DMZ.
But we can use VLANs with differents security level for a LAN ?
For example, in my LAN I have 2 VLANs : VLAN 10 Marketing et VLAN 20 HR.
Can I use security-level 70 for VLAN 10 et security-level 80 for VLAN 20 ?
So, VLAN 20 can communicate with VLAN 10 but not VLAN 10 with VLAN 20 in my opinion.

Am I right ?

Thanks