is it possible to pass to ASA first before inter vlan routing?

martlee2 · ‎05-31-2017

would like to pass traffic to ASA first before inter vlan routing at 2901 router because I would like to control vlan 2 can access vlan 3 but

not allow vlan 3 to access vlan 2

2960 vlan 2 switch 1 ---> 2960 switch 0 ---> ASA ---> 2901 router 0 --> 2960 switch 0 ---> 2960 vlan 3 switch

1.how to let vlan 2 and vlan 3 traffic out from switch 0 Gig0/2 which is vlan 1 to ASA's vlan 1 in packettracer ?

2.is it possible there another traffic to go outside of ASA which means if ip address are public address then go outside, private ip address go inside by passing through the ASA and then do intervlan routing?

updated

if above is impossible, then when I set trunk port at ASA e0/2, it can not set trunk port, how can let vlan 2 and vlan 3 default gateway to this ASA in packet tracer?

juniper can use trunk port accept different vlan traffic, how do ASA do this?

conf t
int e0/2
switchport mode trunk
switchport trunk allowed vlan 1
switchport trunk allowed vlan add 2
switchport trunk allowed vlan add 3
shut
no shut
end

ciscoasa#conf t

ciscoasa(config)#int e0/2

ciscoasa(config-if)#switchport

% Incomplete command.

ciscoasa(config-if)#switchport ?

interface mode commands/options:

access Set access mode characteristics of the interface

ciscoasa(config-if)#switchport mode

^

% Invalid input detected at '^' marker.

switch 0
conf t
hostname switch3
vlan dot1q tag native
end
conf t
vlan 2
vlan 3
end
conf t
int f0/1
switchport mode trunk
switchport trunk allowed vlan 2
switchport trunk allowed vlan add 3
no shut
end
conf t
int f0/2
switchport mode trunk
switchport trunk allowed vlan 3
switchport trunk allowed vlan add 2
no shut
end
conf t
int GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 2
switchport trunk allowed vlan add 3
switchport trunk allowed vlan add 5
no shut
end
conf t
ip default-gateway 192.168.5.254
end

conf t
spanning-tree vlan 1 priority 0
spanning-tree vlan 2 priority 0
spanning-tree vlan 3 priority 0
end
conf t
int vlan 2
ip address 192.168.2.3 255.255.255.0
no shut
end
conf t
int vlan 3
ip address 192.168.3.3 255.255.255.0
no shut
end
conf t
int vlan 5
ip address 192.168.5.3 255.255.255.0
shut
no shut
end
conf t
int vlan 1
ip address 192.168.5.9 255.255.255.0
shut
no shut
end
conf t
int GigabitEthernet0/2
switchport mode trunk
switchport trunk allowed vlan 1
shut
no shut
end
conf t
ip default-gateway 192.168.5.254
end

ASA
conf t
no dhcpd auto_config outside
no dhcpd address 192.168.1.5-192.168.1.36 inside
no dhcpd enable inside
end
conf t
int vlan 2
no ip address
end
conf t
int vlan 1
nameif inside
security 100
ip address 192.168.5.254 255.255.255.0
end
conf t
int e0/2
switchport access vlan 1
shut
no shut
end
conf t
int e0/1
switchport access vlan 1
shut
no shut
end
conf t
route inside 192.168.2.0 255.255.255.0 192.168.5.5
route inside 192.168.3.0 255.255.255.0 192.168.5.5
end

dperezoquendo · ‎06-02-2017

Hello,

Trunk mode is only available with the Security Plus License on the ASA 5505. From the looks of your screenshots, it appears packet tracer doesn't support it.

As to allow vlan 2 and vlan 3 out of the switch to the ASA, you're going to have to create a layer 3 interconnect. I would try making vlan 1 in the ASA and g0/2 on switch0 a /30 subnet.

For only one-way communication between vlan 2 and vlan 3, you can try a reflexive ACL applied on a SVI permitting established tcp connections. This article seems to do what you were looking for. https://howdoesinternetwork.com/2012/allow-vlan-access-but-no-back