In this post, we will be talking about the Cisco firewall installation and integration with VLANs installed Cisco Core L3 switch. I know, probably most of you had some troubles while you were implementing this topology ๐ I would like to share all the details that I configured on real devices.
What do we need in our inventory to create this topology;
- Cisco ASA firewall
- Cisco Layer 3 Core switch
- Console cable for configuration (USB to RJ45 console)
- CAT-6 patch cables
- 1 Windows Server for DHCP Server (Not compulsory, DHCP can be installed on ASA or Firewall)
- 2 PCs
- 1 WAN connection (ISP router or home modem etc.)
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/asa_post_diagram-1024x774.png)
Let’s start with Cisco Layer-3 Switch configuration. We will start configuring VLANs on our core switch and then will connect and route them to firewall using VLAN 2. We will have 4 VLANs. 1 of them is our uplink to firewall, 1 of them is for server use, 2 of them for our clients.
Cisco Core Switch Configuration
Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#vlan 10 Switch(config-vlan)#vlan 20 Switch(config-vlan)#vlan 30 Switch(config-vlan)#vlan 2 Switch(config-vlan)#exit Switch(config)#int vlan 10 Switch(config-if)#ip address 192.168.10.1 255.255.255.0 Switch(config-if)#ip helper-address 192.168.30.10 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#int vlan 20 Switch(config-if)#ip address 192.168.20.1 255.255.255.0 Switch(config-if)#ip helper-address 192.168.30.10 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#int vlan 30 Switch(config-if)#ip address 192.168.30.1 255.255.255.0 Switch(config-if)#ip helper-address 192.168.30.10 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#int vlan 2 Switch(config-if)#ip address 192.168.2.1 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)# Switch(config)# Switch(config)#int eth0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#int eth0/2 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 20 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#int eth0/3 # FOR DHCP SERVER ACCESS Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 30 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#do wr Building configuration... [OK] Switch(config)# Switch(config)#int eth0/0 Switch(config-if)#sw mode acc Switch(config-if)#sw acc vlan 2 Switch(config-if)#exit Switch(config)#do wr Building configuration... [OK] Switch(config)#ip routing Switch(config)#do wr Building configuration... [OK] Switch(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.10 # Firewall UPLINK Switch(config)#do wr Building configuration... [OK] Switch(config)#
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/asa_fw_lld.png)
Cisco ASA / Firepower CLI initial configuration
ciscoasa(config)# no dhcpd enable inside ciscoasa(config)# no dhcpd enable outside ## REMOVE CURRENT DHCP SERVER AND POOLS FOR OUR INSIDE AND OUTSIDE INTERFACES !! ## ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# int eth1/1 ciscoasa(config-if)# nameif outside ciscoasa(config-if)# ip address 192.168.1.100 255.255.255.0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# int eth1/2 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# ip address 192.168.2.10 255.255.255.0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# ciscoasa(config-if)#interface vlan 1 ## Change it to some different IP to not to overlap with our configuration ciscoasa(config-if)#ip address 10.0.0.1 255.0.0.0
Access to Cisco ASA through Management Port with Console cable. Use 192.168.45.x /24 IP to access 192.168.45.1 interface. No default password, you can create a password at this phase.
Download Java SDK and Cisco ASDM-IDM management software to interact with your firewall.
Check your interfaces
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/asa_interfaces-1024x310.png)
Check your NAT configuration, default NAT configuration is sufficient for internet access
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/asa_nat_default-1024x408.png)
Check your Service Policy Rules and add ICMP for inspection to enable pinging from end-user devices.
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/asa_service_policy_rules-1024x219.png)
Create static routes for inside VLANs and outside. Outside route will be created as 0.0.0.0 0.0.0.0 to ISP router Gateway 192.168.1.1/24. And VLAN subnets will be routed to our firewall IP link VLAN’s SVI IP as 192.168.2.1/24
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/asa_static_routes.png)
Outside Route to ISP router
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/static_outside.png)
Inside Route for each VLAN subnet to firewall uplinked VLAN’s SVI IP.
VLAN 10 route to VLAN 2 SVI IP
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/static_vlan10.png)
VLAN 20 route to VLAN 2 SVI IP
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/static_vlan20.png)
And finally, create DHCP server with below parameters and do not forget to add DNS Server to your scopes. Otherwise end-users cannot resolute domain names. You may use 1.1.1.1 or 8.8.8.8 for test purposes.
VLAN 10 > 192.168.10.1 255.255.255.0
VLAN 20 > 192.168.20.1 255.255.255.0
Do not create DHCP scope for VLAN 30 and VLAN 2, these are for servers and firewall uplink.
![](https://barisyuksel.com.tr/wp-content/uploads/2023/04/dhcp_scopes.png)
Plese do not hesitate to contact me if you have questions regarding this deployment.
Happy networking ๐