top of page
Search

Tag#1 ASA initialization (NO CDP)

  • Writer: sukeshtandon
    sukeshtandon
  • Sep 24, 2018
  • 2 min read

Updated: Sep 26, 2018


Sub interface will be used not in transparent mode.



The Switch port which is facing towards the ASA should be 802.1q trunk as it will carry trafffic for 2 vlans.

This will work in only SCM / MCM in routed firewall mode.

For Transparent mode we need physical interfaces.

Also there is no CDP feature enabled.



The command line of ASA is as below.


Some basic commands for ASA

show int | in protocol

show run all ? (shows us all the default options)






1. Verify first Layer 2 connectivity.

Switch interface connected to the ASA ( interface for DMS and INSIDE )

sh run int gi 0/2

description ASA interface gi 0/0

switchport trunk encapsulation dot1q

switchport mode trunk

end


Note: The default configuration on our Catalyst switches is either going to be dynamic auto or dynamic desirable, which is an automatic method for trunking. We will discuss that more here shortly, but Cisco states let's manually set it. Now switchport mode trunk is going to work if we manually set the encapsulation method as well. Our switches can support both ISL as well as 802.1Q. The majority of the time we are using 802.1Q in the real world. That is the standard we go for. So in order for us to set the mode of trunk, we'll have to manually set our encapsulation method as well .


Just like the routers, ASA don't support DTP (dynamic trunking protocol) hence the mode of the interface must be hard coded.



Depending on the platform and catalyst IOS it is using , the interface could be configured as

dynamic desirable or dynamic auto.

Dynamic desirable : sending DTP negotiations

Dynamic auto: listening DTP negotiations


Since the ASA does not support DTP , it is not going to automatically trunk on its interface.



show spanning-tree int gi 0/2





We must see that the vlans we want (10 and 125) , should be forwarding over the interface.

if there are other vlans that we are not using on that link , for optimization we can restrict them from passing on that interface. Because the switch may be trunking those vlans but the ASA may not be encapsulating them.


conf t

int gi 0/2

switchport trunk allowed vlan 10,125

end



Interface connected to the ASA ( outside interface )


sh int status | exclude not connected

sh run int fa 0/2

sh interface ip brief



L3 connectivity

Now check on the ASA itself

OUTSIDE

conf t

int gi 0/2 nameif outside

no shut

ip address 200.0.122.12 255.255.255.0

end



We should be able to ping from the ASA to the outside interface.

(locally originating ICMP)


also i should be able to ping from the outside interface to ASA outside interface (this is default and we can change it)



INSIDE

int gi 0/0.125

vlan 125

name if inside

ip address 10.0.125.12 255.255.255.0


int e 0/0.10

vlan 10

nameif dmz

ip address 10.0.0.12 255.255.255.0



Now we will configure Routing





 
 
 

Recent Posts

See All
BGP main loop prevention mechanism

The only usable metric do prevent loops in bgp is the as-path attribute. No EBGP peering neighbors do accepct an update which includes...

 
 
 

Comments

bottom of page