Switch – L3 Core Switch and VPN Access Configuration

At work we have a cisco 3560 L3 core, in which we implement all our L3 VLANs and ACLs controlling inter-vlan routing. As far as client machines are concerned, the L3 switch is the default gateway, which then forwards packets on to the router. As far as the router is concerned, if it can't see a client machine, it is attached to the switch. However now there is requirement for remote-access VPNs, for which we will be using our 5520 ASA routers. The issue that arises here is that all our ACLs are in the switch, and I'd prefer to leave all these type of controls in the switch. Ideally, I would like VPN traffic to come in off the router, and to go into the switch on the appropriate VLAN, where the switch could then control ACLs.

I have noticed that the 5520s do have a 'vlan' option under the group-policy related to a remote connection, however I'm somewhat confused as to the best way about getting the data into the switch.

How would I best achieve this? My LAN port is GigabitEthernet0/1.

• Do I use GigabitEthernet0/1.4?
• Do I trunk GigabitEthernet0/1 to the switch, and set a loopback with my router's internal IP to retain routing?
• Can I just tag the VLANs and push them into the switch somehow?

Here is a knock-together image of the topology.

• The clients on the left are inside the LAN, in their appropriate VLANs as depicted in the picture.
• Our core switch is a cisco 3560. Our router is a cisco 5520 ASA.
• The clients on the right represent remote clients that are connected in via cisco SSL VPN.

Thanks all

ASA base config:

hostname CoreRouter
domain-name ***
enable password *** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd *** encrypted
names
!
interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 30.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.0.6.5 255.255.255.0
!
ftp mode passive
clock timezone AWST 8
object network NET-10.0
 subnet 10.0.0.0 255.255.0.0
 description Per (Local)
object network NET-10.1
 subnet 10.1.0.0 255.255.0.0
 description Avv (Remote)
object network RemoteAccessCorp
 subnet 10.0.4.0 255.255.255.0
 description SSL Restricted Remote Access
object network RemoteAccessIT
 subnet 10.0.5.0 255.255.255.0
 description SSL Unrestricted Remote Access
object-group network NET-VPN
 network-object object NET-10.1
 network-object object RemoteAccessCorp
 network-object object RemoteAccessIT
!
access-list s2s-vpn-avv extended permit ip object NET-10.0 object NET-10.1
pager lines 24
mtu outside 1500
mtu inside 1500
mtu inside_12 1500
mtu inside_13 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NET-10.0 NET-10.0 destination static NET-VPN NET-VPN no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic NET-10.0 interface
access-group ingress-harden in interface outside
route outside 0.0.0.0 0.0.0.0 30.0.0.2 1
route inside 10.0.6.0 255.255.255.0 10.0.0.2 1
route inside 10.0.2.0 255.255.255.0 10.0.0.2 1
route inside 10.0.3.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP-MEMBEROF-VPN
  map-name  memberOf Group-Policy
  map-value memberOf "CN=IT Staff,OU=Production,OU=Groups,OU=All Users and groups,DC=internal" ItClient
  map-value memberOf "CN=ASA-VPN,OU=Production,OU=Groups,OU=All Users and groups,DC=internal" CorpClient
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.0.6.2
 ldap-base-dn OU=Production Users,OU=All Users and groups,DC=internal
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ASA SSL VPN,OU=LDAP System accounts,DC=internal
 server-type microsoft
 ldap-attribute-map LDAP-MEMBEROF-VPN
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
no snmp-server enable
no service password-recovery
crypto ipsec ikev2 ipsec-proposal OurProposal
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map AeonMap 1 match address s2s-vpn-avv
crypto map AeonMap 1 set peer ***
crypto map AeonMap 1 set ikev2 ipsec-proposal OurProposal
crypto map AeonMap interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn CoreRouter.internal
 subject-name CN=CoreRouter.internal
 keypair sslvpnkey
 crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
 certificate ***
  quit
crypto isakmp identity address
crypto ikev2 policy 1
 encryption aes-256
 integrity sha384
 group 21
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
group-policy CorpClient internal
group-policy CorpClient attributes
 wins-server value 10.0.6.2
 dns-server value 10.0.6.2
 dhcp-network-scope 10.0.6.2
 vpn-simultaneous-logins 100
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
group-policy ItClient internal
group-policy ItClient attributes
 wins-server value 10.0.6.2
 dns-server value 10.0.6.2
 dhcp-network-scope 10.0.6.2
 vpn-simultaneous-logins 100
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
group-policy NoAccess internal
group-policy NoAccess attributes
 vpn-simultaneous-logins 0
username admin password *** encrypted privilege 15
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 authentication-server-group LDAP
 default-group-policy NoAccess
 dhcp-server 10.0.6.2
tunnel-group RemoteAccess webvpn-attributes
 group-alias Connect enable
tunnel-group *** type ipsec-l2l
tunnel-group *** ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6c07d337dc0b47763e4661313febe10c
: end

3560 base config: This is a test switch with little configuration

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name ***
ip name-server 10.0.6.2
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
 description To Router
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
!
interface Vlan2
 description Corporate
 ip address 10.0.2.1 255.255.255.0
 ip helper-address 10.0.6.2
!
interface Vlan3
 description IT
 ip address 10.0.3.1 255.255.255.0
 ip helper-address 10.0.6.2
!
interface Vlan4
 description Corporate VPN
 shutdown
!
interface Vlan5
 description Corporate IT VPN
 shutdown
!
interface Vlan6
 description Servers
 ip address 10.0.6.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
!
control-plane
!
!
line con 0
 escape-character 3
line vty 0 4
 login
line vty 5 15
 login
!
end

EDIT 1 – ASA sub-interfaces and switch trunk port – NOT WORKING

I have configured the following in the switch:

interface Port-channel1
  description Core Router trunk
  switchport trunk encapsulation dot1q
  switchport mode trunk
!
interface FastEthernet 0/8
  description to Router
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
!
int Loopback 0
  ip address 10.0.0.2 255.255.255.0

And in the ASA, I have the following:

interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/1.12
  nameif inside_12
  security-level 100
  no ip address
  vlan 12
interface GigabitEthernet0/1.13
  nameif inside_13
  security-level 100
  no ip address
  vlan 13

group-policy CorpClient attributes
  wins-server value 10.0.6.2
  dns-server value 10.0.6.2
  dhcp-network-scope 10.0.6.2
  vpn-simultaneous-logins 100
  vpn-idle-timeout 30
  vpn-tunnel-protocol ssl-client
  vlan 12
group-policy ItClient attributes
  wins-server value 10.0.6.2
  dns-server value 10.0.6.2
  dhcp-network-scope 10.0.6.2
  vpn-simultaneous-logins 100
  vpn-idle-timeout 30
  vpn-tunnel-protocol ssl-client
  vlan 13

However the issue I am encountering with this approach is that it doesn't seem to allow communication between the router and switch? I believe this is because the switch port is in a 'trunk' mode, and the router port is in an 'access' mode?