2

(Updated with config, see bottom).

I've a question regarding the ability of a Cisco ASA 5505 to handle two trunked interfaces when sitting between two switches.

I've gone to the trouble of drawing a diagram to illustrate the setup, as describing it in writing would just be confusing. (The config details have been stripped down for clarity).

Network setup

Basically the connection to the ASA 5505 from the rest of the network (via a multirole 2960) is fine. However I'm looking to access a second switch on the other side of the 5505 (which will for the most part be in it's own network).

However when I try and reach the 2960G switch from the firewall I get no response. (Can't ping 192.168.200.254 from the switch, or 192.168.200.1 from the firewall).

I can't get the simplest of connectivity between the firewall's secondary port (Eth0/1) and the 2nd switch. I was hoping to run this connection as a trunked interface so that most machines would be in their own vlan behind the firewall, but in future I could present vlans available to the rest of the network to machines connected to the 2nd switch. However I can't get even basic access to the switch in it's current state.

People have said that they believe a 5505 can't do this as it's a 'glorified switch', but what exactly is stopping it? From my point of view, if a trunked interface works fine on Eth0/0 to access the firewall, why can't I do the same on Eth0/1 so the 2nd switch is accessible from the firewall?

Apologies for the long winded nature of the question, but I am really keen to know if there is something fundamentally wrong in the setup - or if something must just be wrong in the config.

Cheers, Coops.

UPDATE: 5505 config avaliable here: http://pastebin.com/sB7GpqiA Infrastructure IPs / passwords /etc changed for anominity, but the vlans and internal ips should match the diagram. I also added an "allow any any" on all interfaces to rule out firewalling. Vlan1 is also configured, but it's not assigned to anything, it's vlan2 I'm trying to access the switch via.

Community
  • 1
Coops
  • 6,055
  • 1
  • 34
  • 54
  • 1
    Can you post a sanitized version of your ASA's configuration? To my mind an ASA isn't a "glorified switch" and can definitely be configured to do what you're looking for. Getting traffic moving through it, though, will involve the right configuration of interface security levels and possibly NAT and firewall rules. – Evan Anderson Jul 20 '11 at 20:33
  • Yeah, I can get some sanitized config tomorrow. I've poured over the config with a colleague so I'll be damned if I missed something! It's also probably worth mentioning that when I switch Eth0/1 and Gi0/20 over to being access ports I could ping as much as I wanted! But that obviously stops me from carrying out my vlan plan. – Coops Jul 20 '11 at 20:38
  • 1
    This should definitely work.. Dumb question, and you've clearly put a lot of effort into making the problem clear so I feel bad asking (thanks for the diagram, by the way) - but are the ports in `switchport mode trunk`? In less terrible questions: does the 2960 get the firewall in its mac address table on vlan 2? That'll be a good hint on whether it's a trunking/vlan issue, or something else. – Shane Madden Jul 20 '11 at 20:42
  • 1
    @Coops: It sounds like you've got it working to me, then. I don't understand what you mean by "stops you from carrying out your VLAN plan". If you're not planning to ever trunk more VLANs to the ASA on Eth0/1 then just make it an access member of VLAN 2, make the Gi0/20 an access member of VLAN 2, and you're done. You only need Eth0/1 on the ASA to be a trunk port if you're going to present other VLAN interfaces on it later. Whether-or-not the connection between the switch and the ASA is a trunk has nothing to do with anything else, so long as the traffic flows as you want it to. – Evan Anderson Jul 20 '11 at 20:46
  • @Shane Yes the ports are defiantly "mode trunk". I just cut out the non-unique stuff. But it's a fair question to ask! I'm glad to hear this should work (as in my head it does!). I'll have to check the mac table when I'm back at the setup tomorrow. – Coops Jul 20 '11 at 20:48
  • @Evan there needs to be two vlans to start with (of two different security-levels), but my 'plan' was to also allow our auto-installer vlan through to machines on the 2nd switch in future to speed up deployment. But yeah, I understand that if I only ever needed one vlan an access port would be fine. – Coops Jul 20 '11 at 20:51
  • @Coops: Understood. It should definitely be able to do what you're trying to do. We'll look at the config when you put it up. – Evan Anderson Jul 20 '11 at 20:53
  • @Evan Stayed up and retrieved the config remotely. Updated the bottom of the original post with details. Cheers for the help! Tied now - so off to bed :-) – Coops Jul 20 '11 at 21:40

1 Answers1

0

OK guys, thanks for all the comments -- but I got back to the setup this morning, switched the access ports back to trunks ports (they were access just to prove the cabling worked) and MAGICALLY it started work. I have no idea what caused it to not work all of yesterday.

At least I came out of it with two things: 1) knowing my theory was correct 2) a neat diagram template for future!

Coops
  • 6,055
  • 1
  • 34
  • 54