Cascade switches behind ASA 5505

Discussion in 'Cisco' started by yvette.ye@gmail.com, May 15, 2008.

  1. Guest

    Hello...

    I have lab with ASA 5505 as a router, as per configuration below, port
    4 and port 6 are configure at the same VLAN13 subnet, port 6 connect
    to Switch1 (2960), port 4 connects to Switch2 (3960), any hosts
    connects to Switch1 and Switch2 can connect to each other and to the
    internet without problem.

    Now, when I relocated Switch2 to port 23 of Switch1, hosts in Switch2
    lost the connection to the rest of the world
    except the hosts in the same switch (switch2).

    My questions is that what needs to be changed when cascade a switch to
    another in this configurations?

    The following are the configurations for ASA 5505, Switch1 and Switch2
    (the IP has been modified in order to post here):
    Please excuse fo the long post.

    ASA5505
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.10.10.101 255.255.255.224
    !
    interface Vlan3
    nameif dmz
    security-level 40
    ip address 172.16.3.1 255.255.255.0
    !
    interface Vlan13
    nameif term
    security-level 50
    ip address 172.16.0.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    switchport access vlan 3
    !
    interface Ethernet0/4
    switchport access vlan 13
    !
    interface Ethernet0/5
    switchport access vlan 3
    !
    interface Ethernet0/6
    switchport access vlan 13
    !
    interface Ethernet0/7
    !
    passwd r.1223343433 encrypted
    ftp mode passive
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 10.10.1.1
    name-server 10.10.1.2
    domain-name abc.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list test extended permit icmp any any
    access-list test extended permit tcp any host 10.10.10.1 eq www
    access-list test extended permit tcp any host 10.10.10.1 eq https
    access-list test extended permit tcp any host 10.10.10.2 eq www
    access-list test extended permit tcp any host 10.10.10.2 eq https
    access-list test extended permit tcp any host 10.10.10.2 eq 3389
    access-list test extended permit tcp any eq 3390 host 10.10.10.3 eq
    3390
    access-list test extended permit tcp any eq 1080 host 10.10.10.3 eq
    1080
    access-list temp_in remark temp
    access-list temp_in extended permit ip any host 172.16.1.11
    access-list temp_in extended permit ip any host 172.16.1.12
    access-list temp_in extended permit ip any host 172.16.1.13
    access-list temp_in remark Server02 Temporarily on INSIDE
    access-list temp_in extended permit ip any host 172.16.1.14
    access-list temp_in extended deny ip any 172.16.1.0 255.255.255.0
    access-list temp_in extended permit ip any any
    access-list dmz_in extended permit icmp any any echo-reply
    access-list dmz_in extended permit tcp any eq www host 172.16.1.11 eq
    www
    access-list dmz_in extended permit tcp host 172.16.3.111 eq 1433 host
    172.16.1.11 eq 1433
    access-list dmz_in extended deny ip any 172.16.1.0 255.255.255.0
    access-list dmz_in extended permit ip any host 172.16.0.221
    access-list dmz_in extended deny ip any 172.16.0.0 255.255.255.0
    access-list dmz_in extended permit ip any any
    access-list inside_access_in extended permit tcp host 172.16.3.111 eq
    1433 host 172.16.1.11 eq 1433
    access-list inside_access_in extended deny ip host 172.16.1.42 any
    access-list inside_access_in extended deny ip host 172.16.1.43 any
    access-list inside_access_in extended permit ip any any
    access-list dmz_access_in extended permit tcp host 172.16.3.111 host
    172.16.1.11 eq 1433
    access-list dmz_access_in extended permit ip host 172.16.3.111 any
    inactive
    access-list dmz_access_in extended permit ip host 172.16.3.110 host
    172.16.0.221
    access-list dmz_access_in extended permit ip host 172.16.3.110 any
    pager lines 30
    logging asdm informational
    logging from-address
    logging recipient-address level errors
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    mtu temp 1500
    no failover
    monitor-interface inside
    monitor-interface outside
    monitor-interface dmz
    monitor-interface temp
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    global (dmz) 1 interface
    global (temp) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz) 1 0.0.0.0 0.0.0.0
    nat (temp) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 172.16.1.11 3389 netmask
    255.255.255.255
    static (inside,outside) tcp interface 3390 172.16.1.34 3390 netmask
    255.255.255.255
    static (dmz,outside) 10.10.10.1 172.16.3.110 netmask 255.255.255.255
    static (temp,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
    static (dmz,outside) 10.10.10.2 172.16.3.111 netmask 255.255.255.255
    static (inside,temp) 172.16.1.12 172.16.1.12 netmask 255.255.255.255
    static (inside,temp) 172.16.1.13 172.16.1.13 netmask 255.255.255.255
    static (inside,temp) 172.16.1.11 172.16.1.11 netmask 255.255.255.255
    static (inside,temp) 172.16.1.14 172.16.1.14 netmask 255.255.255.255
    static (inside,dmz) 172.16.1.11 172.16.1.11 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group test in interface outside
    access-group dmz_access_in in interface dmz
    access-group temp_in in interface temp
    route outside 0.0.0.0 0.0.0.0 10.10.10.22 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 142.50.220.55 255.255.255.255 outside
    http 172.16.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet 0.0.0.0 0.0.0.0 inside
    telnet 0.0.0.0 0.0.0.0 temp
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 temp
    ssh timeout 40
    console timeout 0
    dhcpd auto_config outside
    dhcpd update dns
    !
    dhcpd address 172.16.1.128-172.16.1.254 inside
    dhcpd dns 172.16.1.11 205.152.144.23 interface inside
    dhcpd domain abc.com interface inside
    dhcpd update dns interface inside
    dhcpd enable inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 2048
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    : end


    SWITCH1:
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Switch1
    !
    enable secret 5 $fwrrwr3r324213413241324
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    !
    !
    no Server verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    interface FastEthernet0/1
    description aaa
    !
    interface FastEthernet0/2
    !
    interface FastEthernet0/3
    description bbb
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    switchport mode trunk
    mls qos trust dscp
    macro description cisco-router
    auto qos voip trust
    spanning-tree portfast trunk
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/13
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/14
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/15
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/16
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/17
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/18
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/19
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/20
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/21
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/22
    switchport access vlan 13
    switchport mode access
    switchport port-security
    switchport port-security aging time 2
    switchport port-security violation restrict
    switchport port-security aging type inactivity
    macro description cisco-desktop
    spanning-tree portfast
    spanning-tree bpduguard enable
    !
    interface FastEthernet0/23
    description 8 port mini switch
    switchport trunk native vlan 13
    switchport mode trunk
    macro description cisco-switch
    auto qos voip trust
    spanning-tree bpduguard disable
    spanning-tree link-type point-to-point
    !
    interface FastEthernet0/24
    description 5505 - Prepress
    switchport trunk native vlan 13
    switchport mode trunk
    mls qos trust dscp
    macro description cisco-router
    auto qos voip trust
    spanning-tree portfast trunk
    spanning-tree bpduguard enable
    !
    interface GigabitEthernet0/1
    description Server01
    !
    interface GigabitEthernet0/2
    description APP01
    !
    interface Vlan1
    ip address 172.16.1.2 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 172.16.1.1
    ip http server
    !
    control-plane
    !
    !
    line con 0
    line vty 0 4
    login
    line vty 5 15
    login
    !
    end


    SWITCH2:
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Switch2
    !
    enable secret 5 $asdadadadasdasfwewr3424
    !
    no aaa new-model
    clock timezone UTC -5
    clock summer-time UTC recurring
    system mtu routing 1500
    ip subnet-zero
    !
    !
    !
    !
    no Server verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    interface FastEthernet0/1
    !
    interface FastEthernet0/2
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface GigabitEthernet0/1
    !
    interface Vlan1
    ip address 172.16.0.3 255.255.255.0
    !
    ip default-gateway 172.16.0.1
    ip classless
    ip http server
    !

    control-plane
    !
    !
    line con 0
    line vty 0 4
    password 123456
    login
    length 0
    line vty 5 15
    password 123456
    login
    length 0
    !
    end


    Regards,
    Yvette.
     
    , May 15, 2008
    #1
    1. Advertising

  2. kcallanan

    Joined:
    Jul 16, 2008
    Messages:
    1
    Switch 1 Port 23

    Switch 1 Port 23 has been set to a trunking port. You need to have trunking enabled on both sides or communicaton will fail.

    Setup a Trucking port on Switch 2 and make sure port 23 on 1 connects to that port.

    Kevin
     
    kcallanan, Jul 16, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,372
  2. Replies:
    1
    Views:
    1,854
    Trendkill
    May 8, 2008
  3. Replies:
    1
    Views:
    628
    Tilman Schmidt
    May 16, 2008
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    678
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,090
    Morph
    Jun 8, 2010
Loading...

Share This Page