Hi Tyson Irrespective of whether the ASA is in Transparent or routed mode, if I need put the ASA in between a trunk link between two switches then it seems ASA should have two different VLANs.
switch ---- trunk-------------ASA ------trunk-------------switch vlan 2 - 10.20.30.0 vlan 6 - 10.20.30.0 vlan 3 - 20.10.30.0 vlan 7 - 20.10.30.0 Does this not break the transparency of the network of bringing two different vlans for a single subnet? With regards Kings On Sun, Oct 4, 2009 at 6:53 PM, Tyson Scott <[email protected]> wrote: > Actually the problem is not that you can’t do what you are trying to do. > The problem is that you are doing it wrong. > > > > The VLAN should be different on each side. You can’t bridge the same VLAN. > > > > R1 vlan 2 - 10.20.30.0 – Vlan22 – R2 > > R3 vlan 3 - 20.10.30.0 – Vlan 33 – R4 > > > > > > So the configuration would be > > > > E0/0 > > no shutdown > > E0/0.2 > > vlan 2 > > E0/0.3 > > vlan 3 > > E0/1 > > no shutdown > > E0/1.22 > > vlan 22 > > E0/1.33 > > vlan 33 > > > > context TransparentFw1 > > allocate-interface E0/0.2 > > allocate-interface E0/0.22 > > context TransparentFw2 > > allocate-interface E0/1.3 > > allocate-interface E0/1.33 > > > > Then You assign the Port for R1 to Vlan 2, and R2 to Vlan 22 > > R3 to Vlan 3, and R4 to Vlan 33 > > > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *'Segun Daini > *Sent:* Sunday, October 04, 2009 5:11 AM > *To:* Kingsley Charles; [email protected] > *Subject:* Re: [OSL | CCIE_Security] Transparent firewall with trunking > > > > Hi, > > For transparent firewall, you can only split a single network into two > separate networks bridged by the FW. > > The FW interfaces will need to be in unique vlan in a single switch > scenario while for a two switch scenario, the vlan may be same. > > The FW int can carry traffic for multiple vlan, thats why you cannot trunk > it. Also in multi context, the interface cant be shared. > > Regards. > > > ------------------------------ > > *From:* Kingsley Charles <[email protected]> > *To:* [email protected] > *Sent:* Sunday, October 4, 2009 9:47:33 AM > *Subject:* [OSL | CCIE_Security] Transparent firewall with trunking > > Hi all > > > > I am trying trunking with transparent firewall with following topology: > > > > > > > 10.20.30.43 > 10.20.30.42 > > R1 (vlan2)-------------I > I-------------------- > (vlan2) R3 > > > Switch--------Trunking---------ASA---------Trunking---------- Switch > > R2 > (vlan3)-------------I > I ------------------- (vlan3) R4 > > > 20.10.30.43 > 20.10.30.42 > > > > > > I have four routers. > > > > R1 and R2 are connected to switch 1 in vlan 2 and vlan 3 respectively. > > R3 and R4 are connected to switch 1 in vlan 2 and vlan 3 respectively. > > > > ASA G0/1 is connected to switch 1 with trunking. > > ASA G0/0 is connected to switch 2 with trunking. > > > > > > vlan 2 - 10.20.30.0 > > vlan 3 - 20.10.30.0 > > > > > > Based on my investigation, it seems we can't achieve this. During the > initial config itself, I am facing an issue. If I associate vlan2 to e1.2, > then I am not able to associate to > > vlan2 to e0.2 again. > > > > > > interface Ethernet1 > no nameif > no security-level > ! > interface Ethernet1.2 > vlan 2 > nameif vlan2 > security-level 100 > ! > interface Ethernet1.3 > vlan 3 > nameif vlan3 > security-level 100 > > > > pixfirewall(config-subif)# vlan2 > ERROR: VLAN 2 has been assigned to another interface > > > > pixfirewall(config-subif)# vlan3 > ERROR: VLAN 3 has been assigned to another interface > > > > > > > > I am not able configure transparent firewall across vlans but how we do, if > there a case, if I need transparent firewall across trunk that carries many > vlans. Is it possible with ASA transparent firewall? > > > > > > With regards > > Kings > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
