|
Posted by on May 15, 2008, 1:07 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hello...
I have lab with ASA 5505 as a router, as per configuration below, port
4 and port 6 are configure at the same VLAN13 subnet, port 6 connect
to Switch1 (2960), port 4 connects to Switch2 (3960), any hosts
connects to Switch1 and Switch2 can connect to each other and to the
internet without problem.
Now, when I relocated Switch2 to port 23 of Switch1, hosts in Switch2
lost the connection to the rest of the world
except the hosts in the same switch (switch2).
My questions is that what needs to be changed when cascade a switch to
another in this configurations?
The following are the configurations for ASA 5505, Switch1 and Switch2
(the IP has been modified in order to post here):
Please excuse fo the long post.
ASA5505
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.101 255.255.255.224
!
interface Vlan3
nameif dmz
security-level 40
ip address 172.16.3.1 255.255.255.0
!
interface Vlan13
nameif term
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 13
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 13
!
interface Ethernet0/7
!
passwd r.1223343433 encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.1.1
name-server 10.10.1.2
domain-name abc.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list test extended permit icmp any any
access-list test extended permit tcp any host 10.10.10.1 eq www
access-list test extended permit tcp any host 10.10.10.1 eq https
access-list test extended permit tcp any host 10.10.10.2 eq www
access-list test extended permit tcp any host 10.10.10.2 eq https
access-list test extended permit tcp any host 10.10.10.2 eq 3389
access-list test extended permit tcp any eq 3390 host 10.10.10.3 eq
3390
access-list test extended permit tcp any eq 1080 host 10.10.10.3 eq
1080
access-list temp_in remark temp
access-list temp_in extended permit ip any host 172.16.1.11
access-list temp_in extended permit ip any host 172.16.1.12
access-list temp_in extended permit ip any host 172.16.1.13
access-list temp_in remark Server02 Temporarily on INSIDE
access-list temp_in extended permit ip any host 172.16.1.14
access-list temp_in extended deny ip any 172.16.1.0 255.255.255.0
access-list temp_in extended permit ip any any
access-list dmz_in extended permit icmp any any echo-reply
access-list dmz_in extended permit tcp any eq www host 172.16.1.11 eq
www
access-list dmz_in extended permit tcp host 172.16.3.111 eq 1433 host
172.16.1.11 eq 1433
access-list dmz_in extended deny ip any 172.16.1.0 255.255.255.0
access-list dmz_in extended permit ip any host 172.16.0.221
access-list dmz_in extended deny ip any 172.16.0.0 255.255.255.0
access-list dmz_in extended permit ip any any
access-list inside_access_in extended permit tcp host 172.16.3.111 eq
1433 host 172.16.1.11 eq 1433
access-list inside_access_in extended deny ip host 172.16.1.42 any
access-list inside_access_in extended deny ip host 172.16.1.43 any
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit tcp host 172.16.3.111 host
172.16.1.11 eq 1433
access-list dmz_access_in extended permit ip host 172.16.3.111 any
inactive
access-list dmz_access_in extended permit ip host 172.16.3.110 host
172.16.0.221
access-list dmz_access_in extended permit ip host 172.16.3.110 any
pager lines 30
logging asdm informational
logging from-address administrator@abc.com
logging recipient-address administrator@abc.com level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu temp 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface temp
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
global (temp) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (temp) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.16.1.11 3389 netmask
255.255.255.255
static (inside,outside) tcp interface 3390 172.16.1.34 3390 netmask
255.255.255.255
static (dmz,outside) 10.10.10.1 172.16.3.110 netmask 255.255.255.255
static (temp,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
static (dmz,outside) 10.10.10.2 172.16.3.111 netmask 255.255.255.255
static (inside,temp) 172.16.1.12 172.16.1.12 netmask 255.255.255.255
static (inside,temp) 172.16.1.13 172.16.1.13 netmask 255.255.255.255
static (inside,temp) 172.16.1.11 172.16.1.11 netmask 255.255.255.255
static (inside,temp) 172.16.1.14 172.16.1.14 netmask 255.255.255.255
static (inside,dmz) 172.16.1.11 172.16.1.11 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group test in interface outside
access-group dmz_access_in in interface dmz
access-group temp_in in interface temp
route outside 0.0.0.0 0.0.0.0 10.10.10.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 142.50.220.55 255.255.255.255 outside
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 temp
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 temp
ssh timeout 40
console timeout 0
dhcpd auto_config outside
dhcpd update dns
!
dhcpd address 172.16.1.128-172.16.1.254 inside
dhcpd dns 172.16.1.11 205.152.144.23 interface inside
dhcpd domain abc.com interface inside
dhcpd update dns interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
SWITCH1:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch1
!
enable secret 5 $fwrrwr3r324213413241324
!
no aaa new-model
ip subnet-zero
!
!
!
!
no Server verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description aaa
!
interface FastEthernet0/2
!
interface FastEthernet0/3
description bbb
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
switchport mode trunk
mls qos trust dscp
macro description cisco-router
auto qos voip trust
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface FastEthernet0/13
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/14
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/15
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/16
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/17
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/18
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/19
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/20
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/21
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/22
switchport access vlan 13
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/23
description 8 port mini switch
switchport trunk native vlan 13
switchport mode trunk
macro description cisco-switch
auto qos voip trust
spanning-tree bpduguard disable
spanning-tree link-type point-to-point
!
interface FastEthernet0/24
description 5505 - Prepress
switchport trunk native vlan 13
switchport mode trunk
mls qos trust dscp
macro description cisco-router
auto qos voip trust
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface GigabitEthernet0/1
description Server01
!
interface GigabitEthernet0/2
description APP01
!
interface Vlan1
ip address 172.16.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 172.16.1.1
ip http server
!
control-plane
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
SWITCH2:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch2
!
enable secret 5 $asdadadadasdasfwewr3424
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
system mtu routing 1500
ip subnet-zero
!
!
!
!
no Server verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
!
interface Vlan1
ip address 172.16.0.3 255.255.255.0
!
ip default-gateway 172.16.0.1
ip classless
ip http server
!
control-plane
!
!
line con 0
line vty 0 4
password 123456
login
length 0
line vty 5 15
password 123456
login
length 0
!
end
Regards,
Yvette.
|
| Similar Threads | Posted | | ASA5505 to cascade two switches. | May 15, 2008, 5:32 pm |
| cascade switches multiple VLAN | May 7, 2008, 11:23 pm |
| ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated | June 16, 2007, 8:21 am |
| 5505 - IPS/IDS | July 9, 2007, 5:42 pm |
| ASA 5505 help | July 16, 2007, 11:54 am |
| Problem with VPN on ASA 5505 | November 21, 2007, 3:49 pm |
| Cisco ASA 5505 - please help | December 3, 2007, 8:28 am |
| Pix 501 Versus ASA 5505 | December 22, 2007, 2:48 pm |
| CCNa w/ 5505 | February 2, 2008, 10:03 pm |
| ASA 5505 USB "Future Use" | February 6, 2008, 2:44 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map