Routing between subinterfaces

Discussion in 'Cisco' started by crate, Nov 19, 2007.

  1. crate

    crate Guest

    Good Day Everyone,

    My scenario is as follows.

    The setup involves

    1 Catalyst 2950
    1 Catalyst 3750G
    1 ASA 5520

    My objective is to configure to additional subnets using ASA
    subinterfaces as the Vlan gateways.

    For this question we will use on the ASA 5520
    one interface for server interaction
    one interface for all user interaction.

    Core Switch Catalyst 3750G

    Current VLan configuration

    VLAN 1 Server interface 0/0
    VLAN 10 clients interface 0/1

    These VLans are spread on both switches and communicate well.

    So now, I created two additional vlans on the core switch,
    VLAN 20 clients2
    VLAN 30 clients3
    Using the Catalyst 2950, I assigned two computers to vlan 20 and 30
    respectively.

    I configured the trunk on the 2950 interface as follows

    interface FastEthernet0/20
    switchport trunk native vlan 10
    switchport trunk allowed vlan 20,30
    switchport mode trunk
    end

    and its connecting interface on the 3750G configured as

    interface GigabitEthernet1/0/30
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport trunk allowed vlan 20,30
    switchport mode trunk
    end

    The switch interface to ASA is configured as follows
    interface GigabitEthernet1/0/40
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,20,30
    switchport mode trunk
    end

    So after configuring this I configured the ASA interfaces as follows:

    interface GigabitEthernet0/1
    nameif clients
    security-level 80
    ip address 172.16.10.1 255.255.255.0 standby 172.16.10.2

    interface GigabitEthernet0/1.20
    vlan 20
    nameif clients2
    security-level 80
    ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2

    interface GigabitEthernet0/1.30
    vlan 30
    nameif clients3
    security-level 80
    ip address 172.16.30.1 255.255.255.0 standby 172.16.30.2

    Then I typed the command
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface

    The clients setup 172.168.10.3, 20.3, 30.3 were all able to ping their
    respective gateways.

    So now to ping the server interface, The following was added using
    static NAT rule with ASDM 5.2 (I'm still learning CLI for ASA, so
    please excuse me)
    I'll do the print out on ASA. (sh nat servers/clients/...2/...3)

    Servers
    match ip servers 172.16.1.0 255.255.255.0 clients any static
    translation to 172.16.1.0
    match ip servers 172.16.1.0 255.255.255.0 clients2 any static
    translation to 172.16.1.0
    match ip servers 172.16.1.0 255.255.255.0 clients3 any static
    translation to 172.16.1.0

    Clients
    match ip clients 172.16.10.0 255.255.255.0 servers any static
    translation to 172.16.10.0 (this is my entry)
    match ip clients 172.16.10.0 255.255.255.0 clients any dynamic
    translation to pool 10 (No matching global)(this is not mine but would
    like to know how)
    match ip clients 172.16.10.0 255.255.255.0 clients2 any dynamic
    translation to pool 10 (No matching global)(this is not mine but would
    like to know how)
    match ip clients 172.16.10.0 255.255.255.0 clients3 any dynamic
    translation to pool 10 (No matching global)(this is not mine but would
    like to know how)

    Plus there are other rules there taht should only be there for the
    clients but the same is there for all the other nameif regarding pats

    Clients2
    match ip clients2 172.16.20.0 255.255.255.0 servers any static
    translation to 172.16.20.0

    clients3
    match ip clients3 172.16.30.0 255.255.255.0 servers any static
    translation to 172.16.30.0

    So after adding this in ASDM they can ping the server network.

    The problem now exists that they cannot ping each other on the same
    interface can anyone shed some light now.
    Question as well with the command
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface, would I have to
    configure rules for them to talk to each other provided the first
    issue is resolved?
     
    crate, Nov 19, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom Hickory
    Replies:
    0
    Views:
    821
    Tom Hickory
    Nov 11, 2003
  2. zher
    Replies:
    2
    Views:
    9,094
  3. Remco Bressers

    bridging between 2 ATM subinterfaces/PVC's

    Remco Bressers, Aug 11, 2005, in forum: Cisco
    Replies:
    4
    Views:
    3,822
    Remco Bressers
    Aug 17, 2005
  4. Replies:
    1
    Views:
    6,875
    deccax
    Nov 17, 2005
  5. J
    Replies:
    0
    Views:
    764
Loading...

Share This Page