Cisco ASA VLANs and Sub-Interfaces

Hi Rene,

I’m a newbie in need of config help involving a catalyst 4500x and ASA5512X.
I will be managing 4500x that is connected to my DataCenter provider’s ASA 5512x.

Here are the details:
All internal routing is done on the 4500x.
Inter VLAN on the switch (VLAN 500, VLAN 69, VLAN xxx, VLAN xxy)

VLAN 500 - 4500x TE1/1/17 <==> ASA Ge0/1 (Primary) and 4500x TE2/1/17 <==> ASA Ge0/1 (Secondary).
-- 10.10.10.3 / 29

4500x config:

interface TenGigabitEthernet1/1/17
 switchport mode trunk
 switchport trunk allowed vlan 500

interface TenGigabitEthernet2/1/17
 switchport mode trunk
 switchport trunk allowed vlan 500

--VLAN 69 (192.168.69.2 /24)
Interface TenGigabitEthernet1/1/4
 description Test Server
 switchport access vlan 69
 switchport mode access
 spanning-tree portfast

interface Vlan69
 ip address 192.168.69.2 255.255.255.0

interface Vlan500
 ip address 10.10.10.3 255.255.255.248

-- Default gateway 10.10.10.1 

****************
--ASA 5512x config:

interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.500
 vlan 500
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2 

access-list inside_in extended permit ip 192.168.69.0 255.255.255.0 any 

object network obj-192.168.69.0-24
 nat (inside,outside) dynamic interface

route inside 192.168.69.0 255.255.255.0 192.168.69.2 1

******************
My DC provider claims that everything is setup on their end for internet access, however I am unable to connect to the outside from a server behind the 4500x.
From the 4500x, I can ping 10.10.10.1 and .2.
I can’t ping any public address.
No internet access from the server.

What’s missing or needs to change on either ends? Is trunking on the ASA really necessary?
Please advise.

Thanks!

Hi @akosiron

If you can ping from your server to the INSIDE ip address of your ASA, then at least you know your trunks/vlans are OK.

The only reason to use a trunk, is if you need multiple VLANs between your ASA and switch. I see you only use VLAN 500, so it’s not needed unless you plan to add more VLANs later.

The ASA has this route:

route inside 192.168.69.0 255.255.255.0 192.168.69.2 1

How does it know how to get to 192.168.69.2? It’s telling that to reach 192.168.69.0/24, you have to get to 192.168.69.2 (chicken and egg problem). The next hop should be 10.10.10.3, the IP address you use on your switch for the VLAN 500 interface.

That’s the one the ASA knows how to reach:

interface GigabitEthernet0/1.500
 vlan 500
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2 

Rene

Hi Renee,

The issue has been resolved .
The problem was, as you pointed out, is the ASA’s next hop.
I may add more vlans to between asa and 4500x that is why it was trunked.

Thanks.

-RON

Hello there,

What is BVI interface?

is there any major difference between bvi and vlan?
I tried to find online but couldn’t find satisfied answer. so if you can explain me a bit with some diagram and example please and thanks.

and by the way we are using ASA 5506.

thanks

Hi Ankit,

TL;DR the BVI interface is the virtual L3 interface you can use for your VLAN.

There are two interface types:

  • Switchport interfaces (L2)
  • Routed interfaces (L3)

A switchport interface only works on L2 and forwards Ethernet frames by switching. You can’t configure an IP address on a L2 switchport interfaces. This is what a L2 switch does. You can add multiple switchport interfaces to a single VLAN.

A routed interface has an IP address and does not forward frames by switching. Since it’s a L3 interface, it doesn’t belong to any VLANs.

You probably want to use a default gateway for the hosts in your VLAN so where do you configure the IP address for the gateway? You can’t configure it on a switchport interface. That’s why we use BVI interfaces.

The BVI interface is a virtual L3 interface that belongs to your VLAN. You can configure your IP address there, and all hosts within the VLAN can communicate with the BVI interface.

In the case of your ASA 5506, originally it didn’t support L2 switchport interfaces. The only thing you could do is configure each interface as a routed interface. This was pretty silly, people were used to the 5505 that did support switchport interfaces and now they had a 8 port 5506 that didn’t support it.

Nowadays, it supports switchport interfaces so you can configure all 8 ports as switchport interfaces, add them to a single VLAN, and use a BVI interface for the default gateway.

Hope this helps!

Rene

Thanks Rene for your reply.

I’m learning ASA and the configurations of how to set things up. I’m trying to set my ASA 5510 to have a DMZ for the purpose of web servers. The problem I’m having is I’m routing or trying to route multiple vlans that aren’t on the ASA but on my switch and being routed to the dmz interface. Here is an idea of my layout I’m not to sure if I have it setup correctly

2810 Router
3560 Switch - vlans 10,20,30
10 Inside, 20 - Private, 30 DMZ
3 x servers 2 are web servers which will need access to the internet and access from outside to the inside
ASA
ISP

The router has a default route pointing to the dmz interface on the ASA.
The ASA has a static route from outside interface to the GW to get out to the internet.
ASA - NAT setup for inside to Outside and DMZ to Outside, dynamic PAT

The outside interface should it be plugged from the modem directly into the ASA or into the switch. I’ve read 2 different ways and not sure what is correct.

I’ve attached a rough network layout diagram representing some of my configurations as well as the questions I’ve asked.

ASA 
E0/1
nameif Inside
Security level 100
ip add 10.10.1.2 /27

E0/2
nameif DMZ
security level 50
ip add 10.30.1.2/27

E0/3
nameif Outside
security level 0
ip add 5.5.5.5/29

ip route outside 0.0.0.0 0.0.0.0 5.5.5.6
nat (inside,outside) dynamic pat
nat(dmz,outside) dynamic pat

RTR
Fa0/1.10
ip add 10.10.1.1 255.255.255.224

Fa0/1.20
ip add 10.20.1.1 255.255.255.224

fa0/0.30
ip add 10.30.1.1 255.255.255.224

ip route 10.10.1.0 255.255.255.224 10.30.1.2
ip route 10.20.1.0 255.255.255.224 10.30.1.2
ip route 10.30.1.0 255.255.255.224 10.30.1.2

SW
Fa0/1
switchport mode access
switchport access vlan 10
description SW-ASA-INSIDE10

Fa0/2
switchport mode access
switchport access vlan 20
description Private-VLAN20

Fa0/3
switchport mode access
switchport access vlan 30
description SW-ASA-DMZ30

Fa0/10-11
switchport mode access
switchport access vlan 30
Description WEBSVR-DMZ

Fa0/24
description SW-ASA-ISP (Modem)

These are rough configurations that should give the basic idea of whats going on. Only the inside vlan is routing out the dmz traffic isn’t working to go to the outside.

Inside and Dmz
ACL
allow any any http
allow any any https
allow any any domain

Progress update as of tonight I’m able to use multiple vlans however something is very wrong lots of collisions on the port for the outside interface on the SW. I’m routing the traffic on the router any network to the DMZ interface on the ASA this is the only way it seems to work
I’m trying to determine why I can route web server traffic to the DMZ and all the other vlans to the inside interface on the ASA is this not an option or incorrect way of trying to do it?
I also want to limit another vlan I’ve added which is for the wireless network I want to route it out to the internet but have no access to the other vlans on the inside network

Wireless VLAN is 12

So I’m trying to route things like this on the router

ip route 10.10.1.0 255.255.255.224 10.10.1.2 this is the inside interface on the ASA
ip route 10.20.1.0 255.255.255.224 10.10.1.2
ip route 10.10.100.0 255.255.255.0 10.30.1.2 this is the DMZ interface on the asa and this is the subnet for the web servers

instead this is the route that works

ip route 0.0.0.0 0.0.0.0 10.30.1.2
??? got me deeply confused

Also I have the outside interface plugged into the switch and the modem plugged into the switch to push traffic to the outside not sure if this is correct as stated above ??

Rene,

So what is the best practice here in a small network with hosts, web servers, router, switch, asa 5510? Is it best to put sub-int on asa or for the switches to handle the vlans and establish a static route if I’m understanding all of this correctly? I have 3 servers with potential to add a few more and about 25-40 hosts between private, wifi, and VPN users

Hello Brandon

A typical configuration for an ASA firewall with a DMZ should conceptually look like this:

There should be three interfaces on the ASA, as you have done in your topology, where one is inside, one is outside, and one is DMZ. R1 and R3 simply represent a host on each of the inside and DMZ networks. You can replace those with a switch with multiple hosts to make it clearer. R2 in most cases would be the ISP router, or would be the network from which we want to “protect” our internal networks.

For your scenario, I understand that VLAN 30 is the DMZ, and VLANs 10 and 20 are the internal VLANs that you would like to provide Internet access to. Now in order to achieve this, VLAN 30 must use the DMZ interface of the ASA as the default gateway. Similarly, if you want VLANs 10 and 20 (two separate subnets) to reach the Internet as well, you will need to provide routing for those before they reach the inside interface of the ASA. That’s where the router comes in. So the logical network would look something like this.

image

In your scenario you are trying to route the VLAN 10 20 and 30 subnets via the router, and then trying to send them all to the Inside interface via router on a stick scenario. Remember, the ASA itself is a router too and should be the default route or default gateway of the routers or hosts on the respective Inside and DMZ networks.

You must also add another VLAN to represent the inside network, since VLANs 10 and 20 are found in other subnets. Let’s call that VLAN 15. The inside interface of the ASA will be on VLAN 15.

So to achieve what you want, you must:

  1. Create a router on a stick scenario for the router, but only for VLANs 10 15 and 20. Make the router the default gateway of hosts on VLANs 10 and 20, and make the default route point to the IP address of the inside interface of the ASA. (If you use a Layer 3 switch, no router is necessary as the switch can internally route between VLANs/subnets)
  2. Connect the Inside interface of the ASA to an access port on the switch that is on VLAN 15.
  3. Connect the DMZ interface of the ASA to an access port on the switch that is on VLAN 30.
  4. Create two routes in the ASA to be able to reach the subnets of VLAN 10 and VLAN 20 via the router’s subinterface on VLAN 15.

Now as for the connection to the Internet, you can either connect directly from the ASA to the ISP (which is recommended) or you can create one more VLAN in the switch which can be used only for this purpose.

Best practice dictates that you should alleviate the ASA from doing any more routing than is necessary. Having the inside, outside, and DMZ interfaces function as routed interfaces should be the only function they should perform. Although subinterfaces can be configured, it is best to avoid it unless absolutely necessary.

If additional routing beyond that of the default gateway for their particular networks is necessary, then you can use a router as in your scenario, or use an L3 switch.

I hope this has been helpful!

Laz

Laz,

Thank you so much for the great detailed explanation with a picture. This clears things up. My next objective is NAT with the layout you describe here it sounds like everything should be hitting the DMZ and then routed to the outside with NAT so one IP should suffice. However, what method would I use if I wanted to segment my traffic onto 2 sep ips going out or would it truly be beneficial. I would think I would add an additional int creating a 2nd DMZ and give it another ip the catch is the 2 DMz are on the same asa pointing to the same outside interface as well as use the same gateway to get out so would this make a difference what if I had another public IP I could use to help push the traffic over with NAT I’m trying to think of ways for segmenting some of the traffic for performance.

Hello Brandon

If I understood correctly, you want to segment your internal networks, whether they are DMZ or inside networks, so that you can more appropriately manage traffic. Well, you can always create a second DMZ as you mention, by simply creating another subnet and configuring it on another port of the ASA.

But in general, you should do the segmentation of your internal networks using internal network devices such as switches and routers. Keep switching, routing, and segmentation separate from the firewall functionalities provided by the ASA. Keep the ASA configuration as simple as possible, keeping only one inside, one DMZ, and one outside interface whenever possible.

I hope this has been helpful!

Laz

Thanks Laz I will keep it simple.

Laz,

Please clarify here for Vlan 15 and the routing from ASA to the router and outside. I don’t see Vlan 15 in the diagram so I wanted to make sure I understood this correctly.

Router has 4 sub-interfaces
Inside Vlan 15
Outside to isp
DMZ Vlan 30
Vlan 20

The default routes from router to ASA should look like this
Ip route 192.168.3.0 255.255.255.0 192.168.15.2
Ip route 192.168.2.0 255.255.255.0 192.168.15.2
Ip route 192.168.1.0 255.255.255.0 192.168.15.2

The asa would have a static route from outside to GW
Route outside 5.5.5.5 5.5.5.6 these are place holder IPS for public
Then route DMZ 0.0.0.0 0.0.0.0 192.168.15.1

Does this look right because I have put this into my devices and something is missing because it’s not working I have no connection to the outside from neither Vlan 10 or 20

Hello Brandon

In the suggested changes, I introduced VLAN 15 as the VLAN that is directly connected to the Inside interface of the firewall, as shown in the following diagram:

Now if you’re using your topology, where everything goes through the switch, then the router should have 3 subinterfaces. The outside to ISP should not be included as that is the responsibility of the ASA. Otherwise you are bypassing the ASA to get to the Internet, something that defeats the purpose of the firewall.

Now in the router, all you need is a default route that points to the inside interface of the ASA. That way all traffic to the internet and to the DMZ will go via the ASA.

The ASA should have a route to each of the subnets of VLAN 10 and VLAN 20 pointing to the IP address of the VLAN 15 subinterface on the Router. This way, traffic can be routed back to the devices that made the initial communication to the DMZ or the Internet. I believe this is what you are missing in your configuration.

Finally, the ASA should have a default route to the Internet.

I hope this has been helpful!

Laz

Laz,

I will review my configs again today. The diagram and explanation will help as I thought I had done exactly what your suggesting in your lastest post. However, I do. Have a question as to why it needs to be a default route? Will the static routes that I listed not work just the same maybe that’s the issue. My question is why what is so significant about default route compared to one that is network specific.

Ip route 0.0.0.0 0.0.0.0 10.15.1.2
Rather I have
Ip route 192.168.1.0 255.255.255.0 10.15.1.2

As an example for the 10 network why would that not be just as good ?

Laz or Rene,

This is really troublesome as I’ve went back and reconfigured my devices to see if I could get everything to work. I’ve now successfully got multiple vlans running to the ASA and out to the internet. However, I have now managed to send all traffic out of the Inside to the outside rather than the web server traffic to the DMZ. so I’m not sure why or how but the default route explains alot of it is my best evaluation from all of this. If I send traffic from the 10 network to the inside this doesn’t work if I route a default route all traffic to the inside everything works. As I explained in my example before with the routing I have setup static routes from the ASA back to the Router and setup static route from the router to the ASA but not sure how or why it doesn’t work other than with a default route ??

So now I need to determine how I can get the VLAN 28 web server network to route to the DMZ on VLAN 30 and send all the other vlans to the inside interface.

This is what I tried to use

Router
ip route 10.10.100.0 255.255.255.0 10.30.1.1
ASA
DMZ 10.10.100.0/24 10.30.1.2

Router
ip route 10.10.1.0 255.255.255.224 10.15.1.2
ip route 10.20.1.0 255.255.255.224 10.15.1.2
ASA
Inside 10.10.1.0/27 10.15.1.1
inside 10.20.1.0/27 10.15.1.1

Hello Brandon

The specific route will work just fine, there’s no rule that says you shouldn’t use it. However, the logic behind the default route is that this allows all VLANs (specifically 10 and 20) to reach the internet using the Inside interface of the ASA as the next hop. With your config, you’ll be able to reach the DMZ, but not the Internet. It really depends on what you want to achieve.

Now as for your issue of getting VLAN 28 web server network to route to the DMZ, I believe that through the various posts we’ve written, I’ve lost the original topology that you are actually using. Can you restate the issue with all of your information (subents VLANs etc) so that we can take a closer look?

I hope this has been helpful!

Laz


Laz,
This is the diagram we were originally using or ended up with. Since I have been able to get everything working in this diagram I was trying to add another Vlan for the web server and VPN to the diagram which is Vlan 28 going to be 2 different server IPs maybe 3 hosting these services.
I think the right thing to do here is to push everything from servers over the DMZ since I want public Access to the inside to the web server for file sharing web hosting and VPN access. However, with the default route of pushing everything to Vlan 15 ass interface which is the inside no traffic is being sent over the DMZ interface but instead all over the inside.

Hello Brandon

I’m still not clear as to where VLAN 28 will be on the diagram, but like I said before, you can use whatever routing gives you the results you need. The only reason I used a default route in the router is because based on this diagram, all destinations that are not in VLAN 10 or VLAN 20 must be routed via the connection to the firewall, since that is the only other path, to the DMZ, to the Internet, and to any other networks you may have. This results in correct routing with only a single command.

If however based on your topology with VLAN 28, you require additional routing commands, that is fine as well.

I hope this has been helpful!

Laz