|
ASA trunking with guest vlan |
|
|
|
|
Written by Administrator
|
|
Friday, 09 March 2007 |
|
ASA configuration with vlan trunking
This configuration snippet shows how to setup trunking to an ASA. In this scenario we have a 5510 that supports 3 physical interfaces. We want to provide a guest vlan on the network that customers could use to access the Internet only, however we aleady are using the 3rd interface for a DMZ. 
# This configuration was taken from an ASA 5510 running 7.2(1) with default security assignments of 0 on the outside and 100
# on the inside. The dmz was given a security assignment of 50 and the guest segment was given a security assignment of 10.
# The 3 physical interfaces are Ethernet0/0, Ethernet 0/1 and Ethernet 0/2. Ethernet0/2 is where the vlan trunking will occur.
# When the trunking is performed the native vlan on the trunk needs to be something other than a vlan that is currently in use.
# In this example we are trunking vlan 10 and vlan 99. The native vlan is set on the switch to something other than vlan 10 or 99.
# To set this up on the ASA you need to create subinterfaces associated to the vlan number. So for vlan 10 we use interface
# Ethernet0/2.10 and then under that interface we define that it is in vlan 10. Now make sure that the switch port that physical
# Ethernet0/2 is connected to is set up to do 802.1q trunking with these vlans.
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/2
no nameif
no security-level
no ip address
interface Ethernet0/2.10
vlan 10
nameif guests
security-level 10
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2.99
vlan 99
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
# Access lists for the outside and dmz interfaces have been omitted from this example.
# When going from a higher interface to a lower interface a NAT and global command are used.
# Any address on the 10.1.1.0 / 24 inside network going to the outside will use PAT translating the source IP
# to the IP address that is configured on the outside interface above. In this case we also want to allow anything
# from the guest segment to access the internet. So in this case we will add one more NAT statement to allow this.
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
nat (guests) 1 192.168.100.0 255.255.255.0
# Finally for reference a default route is defined to the Internet.
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
# Default configuration lines have been omitted.
Corresponding switch configuration for trunking to ASA
This configuration shows the switchport configuration for the port that is physically connected to the ASA's Ethernet0/2 interface.
# On this interface we need to turn on trunking using 802.1q. We then define the vlans we need to trunk, in this case 10 and 98.
# The trunk native vlan by default is vlan 1. If vlan 1 was needed to be used on the ASA, we would have needed to set the native vlan
# to something else with an additional statement of switchport trunk native vlan xx.
#
# This snippet was taken from a 3750 running 12.2.25 IOS.
interface FastEthernet1/0/1
description ASA 5510 Ethernet0/2 - DMZ and Guests Vlans trunked
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,98
switchport mode trunk
no ip address
no mdix auto
|
