Cisco ASA VLANs and Sub-Interfaces

Hello Irfan

Without knowing more about your topology, the first thing that comes to mind is that there may be an STP misconfiguration. It sounds like a L2 loop because you say that the “internet just drags” rather than it disconnects completely. I suggest you take a look at your STP configuration and L2 topology. It would also help if you share a little more about your particular topology so we can help further you in the troubleshooting process.

I hope this has been helpful!

Laz

Hi Laz,
I’ve attached the topology and i can also send the configs for ASA and the SW, hope this helps.
Thanks,
Irfan

Hello Irfan

The topology looks fine at first glance. A few comments:

• The G0/0 interface of the ASA should be configured with subinterfaces and the appropriate encapsulation and VLAN designation for each subinterface
• The G0/2 interface of the L3-SW should be configured as a trunk
• The L3-SW doesn’t need the IP addresses as it should be functioning only at Layer 2. In order for this topology to work the L3-SW device should not be routing any of this traffic.
• The default gateway of the PCs must be the corresponding subinterface of the ASA.

When you say you shut down the VLANs, where are you doing this, at the ASA subinterfaces or at the L3-SW trunk interface? I have a feeling that this has to do with the role of the L3-SW device, but I’m not sure… I trust some of this has helped you to investigate further. Let us know how you get along…

I hope this has been helpful!

Laz

Lazaros,

I want to create two DMZ in a firewall , one catering for Web Traffic coming from Internet and Other for Non-Web traffic also coming from outside.
Please let me know what constructs i need to build in the firewall to filter these two different traffic types on to two different DMZ’s

I’ll try that out.

Thanks so much.

Hello Surendra

You can create multiple DMZs in your firewall without a problem. Some thoughts to keep in mind include:

1. Configuring security levels - Do you want the DMZs to be able to communicate? If so in which direction? You can configure your security levels according to the kind of communication (if any) you will want from your DMZs. If you want full communication, you can simply keep them at the same security level. If you don’t want any communication, you can keep them at the same security level, and use access lists to restrict traffic between them.
2. Addressing - Are the servers in your DMZs going to have public addresses? If so, this will make your routing easier and will avoid the complications of NAT. If not, you will have to use some criteria (such as HTTP and HTTPS port usage) to direct traffic accordingly, using NAT.

I hope this has been helpful!

Laz

Hi Laz,
The above solution worked flawlessly, i do have a different scenario that i’m struggling with.
Let’s take the same topology -

LAN ( 2 vlans) —> SW–>ASA–>Internet.

So when the switch is doing layer2 and just trunking and the default gtwy is the ASA, everything works fine, but what if the switch is Layer3 and the default route for the PCs is the switch and then the default route for the switch is the ASA, is that doable…

Thanks…

Hello Irfan

Sure, you can set that up. If that is the case, then you will have to make sure that all routing information is updated. What I mean is that both the switch and the ASA are aware of how to route packets destined for all destinations. Here’s your topology again for reference:

Now according to what you described in your post, you want the Gi0/2 interface of the switch to be an access port that belongs to another VLAN, say VLAN10, and the link between the switch and the ASA to have a different subnet, say 192.168.10.0/24. Also, the Gi0/0 interface of the ASA should not have subinterfaces but will be configured with a single address within the subnet 192.168.10.0/24. You will also have to create an SVI on the switch for VLAN 10 to act as the next hop for communication between the ASA and the switch.

In this scenario, it’s not enough for the PCs to simply know their default gateway, and for the switch to know its default route. You must ensure that the ASA also knows how to reach VLAN2 and VLAN3 subnets. This means you must add routes to the ASA that that indicate that 192.168.1.0/24 and 192.168.2.0/24 can be reached with the SVI interface of VLAN 10 as the next hop. Once that is done, routing should function on the topology.

I hope this has been helpful!

Laz

Hi Laz,
Yea i think i got it so basically the interface between the SW (g0/2) and the ASA (g0/0) should be on an entirely different subnet 192.168.10.0/24 for instance and the LAN traffic is already on 192.168.2.0 and 192.168.3.0 so the LAN traffic is pointing to the SW for their gateway and the SW is pointing to the ASA g0/0 for default route, then in turn there are static routes on the ASA pointing back to the LAN subnets.

I hope i explained it correctly…

Irfan

Hello Irfan

Yes, you got it completely! Now to solidify this knowledge, the best thing is to actually apply it, lab it up, and see it in action.

I hope this has been helpful!

Laz

Hello Rene,
We currently have a Gateprotect firewall which is no longer in production and we are thinking of changing it,
within our structure we have 4 DMZs and each DMZ has its own associated public IP, I’m thinking of changing the FW with an ASA or NGFW model,
I would like to ask you how is it possible to create 4 rules so that each different public IP points to a different private IP?
consider that we have a public / 29 class:
PUBLIC IP x.x.x.x 192.168.46.100 MAILSERVER
PUBLIC IP y.y.y.y 192.168.40.100 CRM
PUBLIC IP z.z.z.z 192.168.30.100 HTTPSERVER
PUBLIC IP d.d.d.d 192.168.20.100 DNS SERVER

Thanks

Hello Valerio

You can achieve this using a configuration similar to the one found in the following lesson:

In this lesson, NAT is configured to allow an outside host to access a server on the DMZ. For your situation, you simply have to recreate this configuration four times, once for each DMZ.

I hope this has been helpful!

Laz