Cisco ASAv - Router on a stick (L3 Inter-VLAN routing)

Router On A Stick is a (cheaper and slower) alternative to having an expensive Layer 3 switch for routing between VLAN's (a.k.a Inter-VLAN routing).
Layer 3 Switches can route between VLAN's at wire speed.
With Router On A Stick, a Layer 2 switch will send Inter-VLAN traffic (packets tagged with VLAN) over the trunk port to the ASA, which will decide how to route it (By looking up routing tables/ACL's, etc) and then back again to the switch to the correct destination.
This means, for every packet between different VLAN's, it has to transmit to the ASA over the single Gigabit link between the ASA and the Switch and then back again, so it is slower than wire speed.
But for general purposes in a small environment with a limited budget it will be fine. For latency and transfer speed sensitive applications it might pose a problem, you will need to have a proper network design and plan correctly to decide whether its worth getting a Layer 3 switch or if you can make do without one for now. If you can afford it in your networking budget, I would always go with a Layer 3 switch. If not, stick with a Layer 2 switch and Router On A Stick and decide to upgrade later when you have the money.

For this to work you need a layer 2 switch (preferably a Cisco) which supports the 802.1Q standard connected to the ASA's Inside interface and configured as a Trunk port.

You probably have a switch connecting your ESXi host(s) and other devices around the house/home lab/office, etc.

The way this will work is, on your ESXi host(s) you will need two dedicated physical NICS reserved for the ASAv, separate from your other interfaces. One for the Outside Interface and one for the Inside Interface. (You could use your existing VM Network/Management network in vSphere as the inside interface!).

Note: If you plan to have two ASAv's in HA Failover, I would suggest putting the standby ASAv on another ESXi Host with two dedicated physical ports + 1 for the HA network between the two ASAv's) and follow my previous article on HA Failover to understand how to put it together.

You will need to connect a cable from the ISP Router to the physical port reserved for the Outside interface on your Primary ASAv and a 2nd cable from the ISP Router to your Standby ASAv (For HA Failover). Then you will connect the second cable from the physical NIC reserved for the Inside interface on your ASAv to your Switch (To the port that will be the trunk port), do the same for your Standby ASAv (again, for HA failover).
Then you will have your ESXi hosts' Management and Production Port Groups assigned to NICS connected to your switch. The ports connecting to your ESXi hosts need to be configured as trunk ports to allow you to configure VLAN's via the vSwitch and Port Groups.

This is easier to understand if you try to ignore that you have an ASA in your ESXi Host, and try to visualize the ASAv and the physical NICS you have reserved as part of a separate physical ASA. You could draw a network topology diagram to help with this (I usually do).

You will need to configure a port on the switch as a Trunk port (to allow multiple VLANS over a single interface), on a Cisco Switch this is easy:

On the interface you are using as a trunk port. In my example its gi0/14
conf t
interface gi0/14
switchport trunk encapsulation dot1q
switchport mode trunk

ASA 5505 vs ASAv and ASA 5510 and higher differences

First of all, keep note that the ASAv is similar to the ASA 5510 and higher, on the ASA 5510 and higher, you define sub-interfaces and assign them a VLAN. On the ASA 5505 however, you configure VLAN Interfaces and then configure the interface switch port as an access port to assign the VLAN to the interface. by running:

On the ASA 5505

interface vlan 2
nameif servers
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface ethernet0/1
switchport access vlan 2
no shutdown

On the ASAv (or ASA 5510 and higher)

Ok, now that the switch is ready on to the ASAv.

If you have multiple sub-interfaces on one physical ASA interface, each with a different vlan id, Cisco says the physical interface is then a trunk port, there is no extra config needed for encapsulation or switchport mode like there is for the switch example above (It's not a switchport!).

So basically you define a sub-interface like so:

conf t
interface gi0/1.2
vlan 2
nameif servers
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface gi0/1.3
vlan 3 nameif wifi
security-level 100
ip address 192.168.3.1 255.255.255.0

As you can see you have two sub-interfaces, of interface gi0/1. They both have vlans defined. So now you have a trunk port in gi0/1 with vlans 2 and 3 allowed through! You will need to do this for the 2nd interface designated for the trunk port for your physical Layer 2 switch as well. Follow the above steps for that as well.

Now you also need to do a bit more config:

These two same-security commands allows traffic to flow between sub interfaces (VLAN's) as well as the interface itself that are configured with the same security level, as you can see above they were configured with security-level 100. Obviously you will want to use ACL's instead of this for security reasons in a production environment rather than allowing everything to talk to each other (which defeats the purpose of having VLANS and separate broadcast domains, or security for that matter).
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Now, understandably you may look at the config now and think it's done, but you would be wrong! ASA's, by default, NAT everything! That includes between all inside interfaces, not just outside in. So you need to create static commands to bypass NAT-ting for all the possible sub-interface to sub-interface (or VLAN to VLAN) connectivity you want to allow.

First you need to create your normal NAT rules for your outside interface to allow inside networks to NAT to the outside IP Address (I.E get Internet access):

conf t
object network obj-inside
subnet 10.0.1.0 255.255.255.0
nat (inside,outside) dynamic interface
exit
object network obj-wifi
subnet 192.168.3.0 255.255.255.0
nat (wifi,outside) dynamic interface
exit
object network obj-servers
subnet 10.0.2.0 255.255.255.0
nat (servers,outside) dynamic interface

Now you need to create static NAT entries to bypass NATting for these vlans:

E.G:

object network obj-inside01
nat (inside,wifi) static 10.0.1.0

object network obj-inside02
nat (inside,servers) static 10.0.1.0

object network obj-wifi01
nat (wifi,inside) static 192.168.3.0

object network obj-wifi02
nat (wifi,servers) static 192.168.3.0

object network obj-servers01
nat (servers,inside) static 10.0.2.0

object network obj-servers02
nat (servers,wifi) static 10.0.2.0

As the ASA is a firewall, not a router, enable routing like this:
router eigrp 500
network 10.0.1.0 255.255.255.0
network 192.168.3.0 255.255.255.0
network 10.0.2.0 255.255.255.0
passive-interface outside
exit

You can also specify the MTU

mtu inside 1500
mtu servers 1500
mtu wifi 1500
mtu outside 1500
write mem

Once you have done the above your Layer 3 Inter-VLAN routing will start working!

Note: Read this about Native VLAN'a (and if you are experiencing issues with a connected Cisco Layer 2 switch)

Since we're working with other Cisco gear in this example, (a layer 2 Cisco Switch) we need to ensure the VLAN on the sub-interface on the ASA's physical port that is connected to the Cisco layer 2 switch is NOT a native VLAN on the switch. Native VLAN's are not tagged with a VLAN id and Native VLAN traffic is sent across the interface like any ordinary untagged traffic, therefore as the ASA is expecting traffic tagged with a VLAN, and there is no interface on that physical port configured without a VLAN, the traffic will be ignored (dropped). If there is an interface configured without a VLAN, the ASA will assume the traffic is for that interface, (and then if you have explicit ACL or NAT rules configured, it will drop or allow the traffic depending on the configured rules, which could cause problems or pose a security issue).
Normally on a Cisco Switch, VLAN 1 is the native VLAN unless it has been changed, therefore I have avoided specifying VLAN 1 in my example config above. However, if the native VLAN on your Switch is VLAN 2 or 3 like my example above, make sure you don't use those two VLAN's on your ASA just to be safe (and avoid problems), or change the native VLAN back to 1 and use my config as normal.
(If you have configured an interface (e.g. int gi0/1) on the ASA without a VLAN, and sub-interfaces with VLAN id's (e.g. int gi0/1.10); The interface (gi0/1) would be considered a Native VLAN as the traffic would not be tagged and the sub-interfaces (int gi0/1.10) would have their traffic tagged with their VLAN.

comments powered by Disqus