Kings, Simplfied answer is:
*same-security-traffic permit inter-interface* This is to allow traffic between 2 separate interfaces with the same security level. *same-security-traffic permit intra-interface* This is to allow traffic in and out the same interface - typically used for vpn (hairpinning) etc. Stu 2009/9/9 Kingsley Charles <[email protected]> > Final clarification... > > > For the inter-vlan routing across the sub-interfaces, if all the > sub-interfaces have the same security level, which of the following should > be configured ? > > *same-security-traffic permit inter-interface* > > or > > *same-security-traffic permit intra-interface* > > > With regards > Kings > > On Wed, Sep 9, 2009 at 1:04 PM, Kingsley Charles < > [email protected]> wrote: > >> Yes, I have the L3 vlans configured :-) >> >> >> It is working for me now. I cleared the startup configuration and did it >> from scratch. Everything went fine as expected. >> >> >> Thanks to all for your inputs. >> >> Great discussion and I am really enjoying the technical response and >> ambiance here :-) >> >> >> With regards >> Kings >> >> >> >> >> >> On Wed, Sep 9, 2009 at 12:18 AM, gbibit <[email protected]> wrote: >> >>> Hi Kingsley, have you verifired if your L3 vlan interfaces are up and >>> up? >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* Tuesday, September 08, 2009 8:48 AM >>> *To:* Tyson Scott >>> *Cc:* [email protected] >>> >>> *Subject:* Re: [OSL | CCIE_Security] ASA support of trunking >>> >>> >>> >>> Hi Tyson >>> >>> >>> >>> I agree, this is a basic configuration. I have configured it more than 6 >>> - 7 times but something is blocking. >>> >>> >>> >>> Just wanted to see, if anyone had hit this issue. >>> >>> >>> >>> It's very simple but wanted to get everyone's input on this as I have >>> spent more than 2 days to get it right. >>> >>> >>> >>> I suspect that the issue is on 1841 only. >>> >>> >>> >>> >>> >>> *On the hosts in each vlans of different subnet, what will be default >>> gateway IP address. It will be the IP address of the sub-interface's IP >>> address on the ASA corresponding to the vlans right?* >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> On Tue, Sep 8, 2009 at 8:05 PM, Tyson Scott <[email protected]> wrote: >>> >>> Kingsley, >>> >>> >>> >>> There is nothing wrong with the topology but you still haven’t explained >>> your configuration. >>> >>> >>> >>> So here is an example of how the configuration should look. If there are >>> typos understand this is all from the top of my head. >>> >>> >>> >>> This is a very basic configuration as it is just to show you how it will >>> work. >>> >>> >>> >>> So 1841 Layer2 Switch that you want >>> >>> >>> >>> vlan 3 >>> >>> vlan 6 >>> >>> interface Fa0/0/0 >>> >>> description Host-A >>> >>> switchport >>> >>> switchport mode access >>> >>> switchport access vlan 3 >>> >>> interface Fa0/0/1 >>> >>> description Host-B >>> >>> switchport >>> >>> switchport mode access >>> >>> switchport access vlan 6 >>> >>> interface Fa0/0/2 >>> >>> description ASA >>> >>> switchport >>> >>> switchport trunk encapsulation dot1q >>> >>> switchport mode trunk >>> >>> >>> >>> >>> >>> ASA >>> >>> interface Gig0/0 >>> >>> no shutdown >>> >>> ip address 24.1.1.1 255.255.255.0 >>> >>> nameif outside >>> >>> security-level 0 >>> >>> interface Gig0/1 >>> >>> no shutdown >>> >>> interface Gig0/1.3 >>> >>> vlan 3 >>> >>> ip address 10.3.3.1 255.255.255.0 >>> >>> nameif inside >>> >>> security-level 100 >>> >>> interface Gig0/1.6 >>> >>> vlan 6 >>> >>> ip address 10.6.6.1 255.255.255.0 >>> >>> nameif DMZ6 >>> >>> security-level 90 >>> >>> ! >>> >>> no nat-control >>> >>> ! >>> >>> access-list DMZ6 permit ip any any >>> >>> access-group DMZ6 in interface DMZ6 >>> >>> access-list OUT permit ip any any >>> >>> access-group OUT in interface outside >>> >>> ! >>> >>> route outside 0.0.0.0 0.0.0.0 24.1.1.2 >>> >>> >>> >>> >>> >>> Router on outside >>> >>> >>> >>> ip route 10.0.0.0 255.0.0.0 24.1.1.1 >>> >>> >>> >>> If you have NAT and other things throw it in but that is the basic >>> configuration >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S and Security >>> >>> Technical Instructor - IPexpert, Inc. >>> >>> >>> Telephone: +1.810.326.1444 >>> Cell: +1.248.504.7309 >>> Fax: +1.810.454.0130 >>> Mailto: [email protected] >>> >>> >>> >>> Join our free online support and peer group communities: >>> http://www.IPexpert.com/communities<http://www.ipexpert.com/communities> >>> >>> >>> >>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >>> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >>> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >>> Storage Lab Certifications. >>> >>> >>> >>> *From:* Kingsley Charles [mailto:[email protected]] >>> *Sent:* Tuesday, September 08, 2009 10:20 AM >>> *To:* Tyson Scott >>> *Cc:* Stuart Hare; [email protected] >>> >>> >>> *Subject:* Re: [OSL | CCIE_Security] ASA support of trunking >>> >>> >>> >>> Hi >>> >>> >>> >>> I was not refering to the L2 interfaces of ASA 5505. I was refering to >>> the L2 interfaces that I have in 1841. >>> >>> >>> >>> Let me explain what I am trying to do with ASA 5520. >>> >>> >>> >>> I wanted to work on the 802.1q trunk support in ASA using the >>> sub-interfaces. For this I need a switch. But I don't have a switch. So I am >>> using an 1841 with 4 L2 ports (switch module). F0/0/0, F0/0/1, F0/0/2 and >>> F0/0/03 will be the four L2 ports of 1841. Addtionally I will have F 0/0 >>> and F 0/1 which are L3 ports which I will not be using. >>> >>> >>> >>> I configure F0/0/0 in vlan 6 and F0/0/1 in vlan 3. >>> >>> >>> >>> >>> >>> I connect PC A to F0/0/0 L2 port of the 1841 which is in vlan 6. >>> >>> >>> >>> I connect another PC B to F0/0/1 L2 port of the 1841 which is in vlan 3. >>> >>> >>> >>> I configure F0/0/2 as a trunk and connect to the G0/1 of the ASA. I have >>> configured two sub-interfaces for vlan 3 and 6. >>> >>> >>> >>> I connect G0/0 (outside inft) to a Router "Internet". >>> >>> >>> >>> >>> >>> Here I am trying to establish connectivity from PC A or PC B to Router >>> "Internet" through the ASA. >>> >>> >>> >>> Also I trying for check the connectivity between PC A and PC B, to see if >>> the ASA can do inter-vlan routing of vlan 3 and 6. >>> >>> >>> >>> >>> >>> This is a typical deployment where I have two vlans in the LAN. The >>> switch will configured to support two vlans. To support vlans, >>> sub-interfaces are created on the ASA. The ASA will be connected to the >>> internet. >>> >>> >>> >>> With this deployment there should be inter-vlan routing between the two >>> vlans and the hosts in two vlans should be able to connect to the internet. >>> >>> >>> >>> The topology that I have used. >>> >>> >>> >>> >>> >>> >>> >>> PC A ------- vlan 3 ----------- F 0/0/0 >>> >>> 1841 F 0/0/2 >>> ------------- Trunk --------- G0/1 ASA G0/0 ------------------ Router >>> (Internet) >>> >>> PC B ------- vlan 6 ---------- F 0/0/1 >>> >>> >>> >>> >>> >>> Please let me know, if this deployment can be achieved using ASA. >>> >>> >>> >>> Even I suspecting that 1841 is causing the problem. If I put a real >>> switch, the problem should be solved. But before that I wanted to check, >>> whether ASA is capable of doing it. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> On Tue, Sep 8, 2009 at 6:43 PM, Tyson Scott <[email protected]> wrote: >>> >>> Kingsley, >>> >>> >>> >>> What you are saying is not making sense. Please share your >>> configurations. The only ASA that would support having layer 2 interfaces >>> and layer 3 would be the 5505. Beyond that the ASA is either going to be in >>> transparent mode or routed mode. I think that Dave’s advice is probably >>> where you are making your mistake but your explanations are not making >>> sense. Please provide more configs for further help. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S and Security >>> >>> Technical Instructor - IPexpert, Inc. >>> >>> >>> Telephone: +1.810.326.1444 >>> Cell: +1.248.504.7309 >>> Fax: +1.810.454.0130 >>> Mailto: [email protected] >>> >>> >>> >>> Join our free online support and peer group communities: >>> http://www.IPexpert.com/communities<http://www.ipexpert.com/communities> >>> >>> >>> >>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On >>> Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, >>> CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE >>> Storage Lab Certifications. >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* Tuesday, September 08, 2009 8:05 AM >>> *To:* Stuart Hare >>> *Cc:* [email protected] >>> >>> >>> *Subject:* Re: [OSL | CCIE_Security] ASA support of trunking >>> >>> >>> >>> The problem is not with 1841 but the ASA is refusing the traffic. >>> >>> >>> >>> The problem is that with ASA, I am not able route traffic when inside >>> interface is connected to VLANs through a switch and outside interface >>> which is conncted to a router. >>> >>> >>> >>> One side of the ASA is L2 and the other side is L3. Is this scenario >>> supported by ASA? >>> >>> >>> >>> >>> >>> In most of the documents for ASA VLAN support, I see both the sides of >>> ASA connected to L2 switches. >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> >>> >>> >>> >>> >>> >>> On Tue, Sep 8, 2009 at 5:14 PM, Stuart Hare <[email protected]> >>> wrote: >>> >>> Spot on that was my next response :-) >>> >>> 2009/9/8 Dave Craddock <[email protected]> >>> >>> Sorry hit the send button before I finished >>> >>> >>> >>> When you do the no ip routing it doesn’t stop the router being a layer3 >>> device it just stops it routing traffic to unknown networks if you are on >>> interface 1 you can still ping an address on interface 2 but you can’t route >>> traffic from a host on network 1 to a host on network 2. >>> >>> >>> >>> To make the router into a bridge you need to use bridge groups on the >>> interfaces that you want to bridge together and then tell the router what >>> you want to bridge i.e bridge ip route ipx etc >>> >>> >>> >>> Dave >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* 08 September 2009 11:40 >>> *To:* [email protected] >>> *Subject:* Re: [OSL | CCIE_Security] ASA support of trunking >>> >>> >>> >>> My topology >>> >>> >>> >>> >>> >>> (host routerA) 1841 ---------- L2 1841 L2 -------------- G 0/1(inside) >>> ASA (outside) G 0/0 ------------outside world ---------- telnet server host >>> (router) >>> (switch) >>> >>> On Tue, Sep 8, 2009 at 3:51 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>> Hi >>> >>> >>> >>> I have a host routerA connected to a switch port of 1841 (access vlan 6) >>> and other port (access vlan 6) is connected to the ASA (inside g0/1). The >>> ASA is connected to the outside world >>> >>> through g0/0 (outside). >>> >>> >>> >>> I have configured PAT on the ASA. >>> >>> >>> >>> I have disabled "ip routing" on the ASA, such that it has switching >>> functionality alone. >>> >>> >>> >>> Now I am trying to make telnet connection from the host routerA to a >>> host in the outside world but I get the following error message on the >>> router. >>> >>> >>> >>> % Connection refused by remote host >>> >>> >>> >>> >>> >>> I am able to ping the inside interface of the ASA from the host routerA. >>> >>> >>> >>> >>> >>> The PAT is not happening and the ASA is refusing the connection. >>> >>> >>> >>> If I remove the switch (1841) and connect the host routerA (from L3 >>> interface) directly to ASA inside interface, the PAT is happening and I am >>> to telnet. >>> >>> >>> >>> >>> >>> I am observing that when I use L2 ports, the connectivity doesn't go >>> through the ASA. >>> >>> >>> >>> I even tried converting the ASA inside interfaace to a trunk and making >>> the switch port into a trunk but still I see the same problem. >>> >>> >>> >>> For both cases using inside interface in access mode and trunk mode, ASA >>> refuses the connection. >>> >>> >>> >>> What could be the problem? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
