Announcement

Collapse
No announcement yet.

ASA 5510 DHCP with subinterface and Vlan

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5510 DHCP with subinterface and Vlan

    hi

    I am planning to setup a network which invloves Cisco ASA 5510 as a Firewall, DHCP, layer3 router, sub-interfaces to support vlans. There will be 3 Cisco 2960 access switches which connect multiple stations within corresponding Vlans. Each 2960 switch will be connected to core switch which is also 2960S-48 which eventually connects to ASA Firewall.
    The main criteria is to isolate machines and disable comm b/w VLANs within the switch as well as across the VLans setup on other access switches. However they all should be able to use ASA5510 as their gateway and go to internet via NAT. Also what would be IP and gateway of access SW1,2,3 in this case, NAT setup on firewall. I will appreciatea any kind of input and config suggestions to meet the desired critereia. Here is my proposed setup:

    Cisco ASA5510: no ip address on physical interface, enable sub-interfaces as per vlan, enable 802.1q encap, trunk with core switch 2960-48. For exp:
    interface Ethernet0/1
    no nameif
    security-level 100
    no ip address
    !
    interface Ethernet0/1.1
    vlan 10
    nameif Test1
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    !
    interface Ethernet0/1.20
    vlan 20
    nameif Test2
    security-level 100
    ip address 192.168.20.1 255.255.255.0

    interface Ethernet0/1.30
    vlan 30
    nameif Test3
    security-level 100
    ip address 192.168.30.1 255.255.255.0

    Access Switch1 2960: There will be 3 VLans per switch and each Vlan will have 5 stations connected. So for exp Switch1 will be Switch port access from 1-5 for Vlan10, port access 6-10 for VLan20, port access 11-15 for VLan30. Swtich1 port 24 to perform Trunk with Core switch port 40.

    Access Switch2 2960: Same as above with Vlan 40, Vlan50, VLan 60 and port 24 trunked with core switch port 41

    Access Switch3 will follow the same trend as above.

    Thanks in advance..!
    Attached Files

  • #2
    Re: ASA 5510 DHCP with subinterface and Vlan

    With all your vlan sub interfaces on the ASA the same security level then your goal of filtering between them is accomplished as same security interfaces on the ASA are not allowed to communicate between each other by default.

    Nat setup on the ASA will be determined by the version of code your running as between 8.? and 8.3 there where major nat changes.

    If all your switches are layer 2 only then there should be only one ip address on them belonging to your management vlan for management access. Default gateway would be whatever vlan you are using for management.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: ASA 5510 DHCP with subinterface and Vlan

      Thanks for the reply..!

      As you mentioned the difference b/w 8.x and 8.3, I noticed that 8.3 requires Network group objects in NAT. I'm not sure about how to setup <any> ip address of my inside ntwk in NAT. Is it possible to get any sample NAT config as per my ntwk per 8.3?

      Yes all layer2 switches and will be kept same management vlan. I am assuming that i will also need to create a sub-interface on ASA for management vlan for switches?

      Since, no ip setup on E0 physical interface on ASA due to subinterfaces, what would be my managment ip for ASA to SSH or ASDM from inside that network?

      Thanks.

      Comment


      • #4
        Re: ASA 5510 DHCP with subinterface and Vlan

        I suggest looking at the configuration guide for your ASA and code version. The new or old nat syntax is very well documented. I believe the 5510 does have a dedicated management interface as well.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: ASA 5510 DHCP with subinterface and Vlan

          Thanks..
          Any suggestions on Spanning Tree protocol config? which one would be appropriate as per this scenario.

          Comment


          • #6
            Re: ASA 5510 DHCP with subinterface and Vlan

            If your device supports it then rapid pvst is the way to go. If not then pvst.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: ASA 5510 DHCP with subinterface and Vlan

              As per 8.3/8.4 I need to create network object for NAT. Here is my NAT exp which allows all the internal vlans to be NAT/PAT on ASA outside interface- configured with wan ip and go online.

              object network internal-0.0.0.0
              subnet 0.0.0.0 0.0.0.0
              nat (inside,outside) dynamic outside

              I have to put no ip address and no nameif on ASA-internal in order to create multiple sub-interfaces for vlans there. I am wondering how do I replace the inside in the above NAT statement? or to make NAT work if I enable nameif inside whould it make any issue with my sub-interface settings?

              thanks for all help..!

              Comment


              • #8
                Re: ASA 5510 DHCP with subinterface and Vlan

                object network internal-0.0.0.0
                subnet 0.0.0.0 0.0.0.0
                nat (inside,outside) dynamic outside
                Just replace the "inside" command with the nameif of the sub interface or use the "any" keyword. You can also substitute the "outside" keyword after dynamic with "interface" as in the auto nat config you specify the outgoing interface in parenthesis.

                The nameif, vlan assignement and ip go on the sub interfaces and not the main interface.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: ASA 5510 DHCP with subinterface and Vlan

                  Thanks a lot again..!

                  I will use "any" instead of sub-interface nameif becoz I've multiple sub-interfaces. I will get a chance to test my settings early next week and update the post accordingly..

                  Comment


                  • #10
                    Re: ASA 5510 DHCP with subinterface and Vlan

                    In order to connect and make config changes, vlan etc to 2960 switches located in remote sites behind the ASA, What would be the most appropriate and secure way?

                    Can I VPN in to ASA and then SSH to switches? or temporarily enabling PAT?

                    thanks..

                    Comment


                    • #11
                      Re: ASA 5510 DHCP with subinterface and Vlan

                      I would setup vpn and then ssh to your devices.
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: ASA 5510 DHCP with subinterface and Vlan

                        Seems like I'm having some trunking issue. As mentioned, I've 3 access switches and each with different vlans and one trunk port on each access switch connecting core switch. On the core switch range of trunk ports defined for access switches and then one more trunk defined connected to ASA e0 which has all the sub-interfaces and DHCP.
                        BTW the e0 on ASA is also enabled and carries vlan1. There is also one separate VLAN defined on core switch with obviously in access mode ports. I'm able to get dhcp on vlan in core switch but access switch dont get dhcp on any vlan. now when I connect trunk port of access switch directly to ASA e0 interface, I can immediately get dhcp on all vlans on that switch. This confirms my trunking on access switch and sub interface on ASA is configured fine. On Core switch, there is no trunk allow restriction either. What needs to be updated to make it work?

                        thanks

                        Comment


                        • #13
                          Re: ASA 5510 DHCP with subinterface and Vlan

                          Are there any layer 3 interfaces configured on the core switch (IE are there SVI's for your vlans on the core switch). Remember dhcp uses broadcast by default and broadcasts are not forwarded over routed interfaces.
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: ASA 5510 DHCP with subinterface and Vlan

                            Thanks for reply..
                            Both access and core switch are L2 Switch (2960) and the trunk ports are simply configured with 'switchport mode trunk' . I am wondering if I need to define all the access switch vlan ids on core switch as well to pass on the vlan info to ASA?

                            Comment


                            • #15
                              Re: ASA 5510 DHCP with subinterface and Vlan

                              The ASA will need a corresponding sub-interface for all vlans in your network since it is doing the intervlan routing. Also, the ASA does not do vtp so it can't learn the vlans from the core switch.

                              VTP could be used to learn vlans between your access layer switches and your core.
                              CCNA, CCNA-Security, CCNP
                              CCIE Security (In Progress)

                              Comment

                              Working...
                              X