1. Home
  2. Cisco Systems
  3. Cascade switches behind ASA 5505

Cascade switches behind ASA 5505

Hello...

I have lab with ASA 5505 as a router, as per configuration below, port

4 and port 6 are configure at the same VLAN13 subnet, port 6 connect to Switch1 (2960), port 4 connects to Switch2 (3960), any hosts connects to Switch1 and Switch2 can connect to each other and to the internet without problem.

Now, when I relocated Switch2 to port 23 of Switch1, hosts in Switch2 lost the connection to the rest of the world except the hosts in the same switch (switch2).

My questions is that what needs to be changed when cascade a switch to another in this configurations?

The following are the configurations for ASA 5505, Switch1 and Switch2 (the IP has been modified in order to post here): Please excuse fo the long post.

ASA5505 interface Vlan1 nameif inside security-level 100 ip address 172.16.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.10.101 255.255.255.224 ! interface Vlan3 nameif dmz security-level 40 ip address 172.16.3.1 255.255.255.0 ! interface Vlan13 nameif term security-level 50 ip address 172.16.0.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 switchport access vlan 3 ! interface Ethernet0/4 switchport access vlan 13 ! interface Ethernet0/5 switchport access vlan 3 ! interface Ethernet0/6 switchport access vlan 13 ! interface Ethernet0/7 ! passwd r.1223343433 encrypted ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 10.10.1.1 name-server 10.10.1.2 domain-name abc.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list test extended permit icmp any any access-list test extended permit tcp any host 10.10.10.1 eq www access-list test extended permit tcp any host 10.10.10.1 eq https access-list test extended permit tcp any host 10.10.10.2 eq www access-list test extended permit tcp any host 10.10.10.2 eq https access-list test extended permit tcp any host 10.10.10.2 eq 3389 access-list test extended permit tcp any eq 3390 host 10.10.10.3 eq

3390 access-list test extended permit tcp any eq 1080 host 10.10.10.3 eq 1080 access-list temp_in remark temp access-list temp_in extended permit ip any host 172.16.1.11 access-list temp_in extended permit ip any host 172.16.1.12 access-list temp_in extended permit ip any host 172.16.1.13 access-list temp_in remark Server02 Temporarily on INSIDE access-list temp_in extended permit ip any host 172.16.1.14 access-list temp_in extended deny ip any 172.16.1.0 255.255.255.0 access-list temp_in extended permit ip any any access-list dmz_in extended permit icmp any any echo-reply access-list dmz_in extended permit tcp any eq www host 172.16.1.11 eq www access-list dmz_in extended permit tcp host 172.16.3.111 eq 1433 host 172.16.1.11 eq 1433 access-list dmz_in extended deny ip any 172.16.1.0 255.255.255.0 access-list dmz_in extended permit ip any host 172.16.0.221 access-list dmz_in extended deny ip any 172.16.0.0 255.255.255.0 access-list dmz_in extended permit ip any any access-list inside_access_in extended permit tcp host 172.16.3.111 eq 1433 host 172.16.1.11 eq 1433 access-list inside_access_in extended deny ip host 172.16.1.42 any access-list inside_access_in extended deny ip host 172.16.1.43 any access-list inside_access_in extended permit ip any any access-list dmz_access_in extended permit tcp host 172.16.3.111 host 172.16.1.11 eq 1433 access-list dmz_access_in extended permit ip host 172.16.3.111 any inactive access-list dmz_access_in extended permit ip host 172.16.3.110 host 172.16.0.221 access-list dmz_access_in extended permit ip host 172.16.3.110 any pager lines 30 logging asdm informational logging from-address snipped-for-privacy@abc.com logging recipient-address snipped-for-privacy@abc.com level errors mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu temp 1500 no failover monitor-interface inside monitor-interface outside monitor-interface dmz monitor-interface temp icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface global (dmz) 1 interface global (temp) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 0.0.0.0 0.0.0.0 nat (temp) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 3389 172.16.1.11 3389 netmask 255.255.255.255 static (inside,outside) tcp interface 3390 172.16.1.34 3390 netmask 255.255.255.255 static (dmz,outside) 10.10.10.1 172.16.3.110 netmask 255.255.255.255 static (temp,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0 static (dmz,outside) 10.10.10.2 172.16.3.111 netmask 255.255.255.255 static (inside,temp) 172.16.1.12 172.16.1.12 netmask 255.255.255.255 static (inside,temp) 172.16.1.13 172.16.1.13 netmask 255.255.255.255 static (inside,temp) 172.16.1.11 172.16.1.11 netmask 255.255.255.255 static (inside,temp) 172.16.1.14 172.16.1.14 netmask 255.255.255.255 static (inside,dmz) 172.16.1.11 172.16.1.11 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group test in interface outside access-group dmz_access_in in interface dmz access-group temp_in in interface temp route outside 0.0.0.0 0.0.0.0 10.10.10.22 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 142.50.220.55 255.255.255.255 outside http 172.16.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 inside telnet 0.0.0.0 0.0.0.0 temp telnet timeout 60 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 temp ssh timeout 40 console timeout 0 dhcpd auto_config outside dhcpd update dns ! dhcpd address 172.16.1.128-172.16.1.254 inside dhcpd dns 172.16.1.11 205.152.144.23 interface inside dhcpd domain abc.com interface inside dhcpd update dns interface inside dhcpd enable inside !

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 2048 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context : end

SWITCH1: version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch1 ! enable secret 5 $fwrrwr3r324213413241324 ! no aaa new-model ip subnet-zero ! ! ! ! no Server verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 description aaa ! interface FastEthernet0/2 ! interface FastEthernet0/3 description bbb ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 switchport mode trunk mls qos trust dscp macro description cisco-router auto qos voip trust spanning-tree portfast trunk spanning-tree bpduguard enable ! interface FastEthernet0/13 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/14 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/15 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/16 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/17 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/18 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/19 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/20 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/21 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/22 switchport access vlan 13 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/23 description 8 port mini switch switchport trunk native vlan 13 switchport mode trunk macro description cisco-switch auto qos voip trust spanning-tree bpduguard disable spanning-tree link-type point-to-point ! interface FastEthernet0/24 description 5505 - Prepress switchport trunk native vlan 13 switchport mode trunk mls qos trust dscp macro description cisco-router auto qos voip trust spanning-tree portfast trunk spanning-tree bpduguard enable ! interface GigabitEthernet0/1 description Server01 ! interface GigabitEthernet0/2 description APP01 ! interface Vlan1 ip address 172.16.1.2 255.255.255.0 no ip route-cache ! ip default-gateway 172.16.1.1 ip http server ! control-plane ! ! line con 0 line vty 0 4 login line vty 5 15 login ! end

SWITCH2: ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch2 ! enable secret 5 $asdadadadasdasfwewr3424 ! no aaa new-model clock timezone UTC -5 clock summer-time UTC recurring system mtu routing 1500 ip subnet-zero ! ! ! ! no Server verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface GigabitEthernet0/1 ! interface Vlan1 ip address 172.16.0.3 255.255.255.0 ! ip default-gateway 172.16.0.1 ip classless ip http server !

control-plane ! ! line con 0 line vty 0 4 password 123456 login length 0 line vty 5 15 password 123456 login length 0 ! end

Regards, Yvette.

Reply to
yvette.ye
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.