Currently I have a 802.1q trunk line between my ASA 5540 and Cisco 62xx switch. Passing multiple VLAN's just fine. I'm introducing a new device on the network that has to sit in the middle of this trunk line. I have succesfully installed the device between the switch and the ASA and the device acts as a bridge passing all tagged traffic over it just fine. The problem that I have is that the new device sitting on the trunk line needs to communicate through the firewall out to the internet and is unable to do so. The reason is because it is unable to communicate directly with the firewall because the new appliance can only generate un-tagged packets. Well this could potentially be a problem when sitting on a trunk line that is expecting only tagged packets; which the ASA will deny. According to Cisco's documentation they say that as long as you name the actual physical interface on the ASA that the ASA will accept un-tagged packets. Well I have given the physical interface a name but I'm still unable to ping the new appliance sitting on the trunk line. Does anyone know how I can configure the ASA to communicate with this new appliance on the trunk line that can only generate untagged packets? Do i have to give the physical interface an IP address as well?? Any help would be greatly appreciated!!!!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Passing non-tagged packets on ASA 5540
- Thread starter jeepnmoab
- Start date
Supergrrover
IS-IT--Management
Treat it like a normal interface for that - give it an IP, security level, speed and duplex if you want, and make sure it isn't shut down.
Just out of curiosity, what does the device do?
Brent
Systems Engineer / Consultant
CCNP, CCSP
Just out of curiosity, what does the device do?
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #3
It's an in-line filtering and shaping device. It has no problems filtering and shaping the tagged packets that come across the interface, it's just that it can't generate tacked packets that originate from it's bridge interface for things such as communicating directly to the internet for updates or communicating with a computer for maanagement purposes. So on page 130 of the following link, when they specify the following:
"If you want to let the physical or redundant interface pass untagged packets, you can configure the nameif command as usual".
Are they implying that you have to completely configure the physical interface and NOT JUST the nameif command? A little incomplete on the documentation if you ask me, hence I'm trying to find someone that has some more definative answers.
"If you want to let the physical or redundant interface pass untagged packets, you can configure the nameif command as usual".
Are they implying that you have to completely configure the physical interface and NOT JUST the nameif command? A little incomplete on the documentation if you ask me, hence I'm trying to find someone that has some more definative answers.
- Thread starter
- #4
- Status
Similar threads
- Locked
- Question
- Locked
- Question