topic Thank you very much for your in Network Security

Converting an existing interface on ASA 5510 to sub-interfaces

Jean Milne — Tue, 12 Mar 2019 09:27:39 GMT

If a sub interface is added to a currently in-use interface on an ASA 5510, will this bring the interface down?

The situation is that all 4 of the ports on our production ASA 5510 are currently in use. The overall aim is to add a test DMZ but there is nowhere for it to go.

The plan is to split the port that is hosting LightsOut traffic into sub-interfaces with their own vlans until the DMZ configuration is complete. Then we will swap the LightsOut traffic back into its own port.

I would like to prepare in advance but I don't want to take the interface down until Monday afternoon.

I have completed an experiment (huge thanks to Jon Marshall) getting multiple vlans working on a single ASA 5505 interface. The ASA 5505 allowed me to create the vlan interfaces in advance and then trunk them when I was ready.

However, the setup is different on the ASA 5510.

Can I add the sub-interfaces now or will that screw up the interface..?

My apologies if the answer to this is obvious. The documentation wasn't clear and I'd rather not just try it and see.

Hello,

dperezoquendo — Fri, 02 Jun 2017 20:08:02 GMT

Hello,

From what I remember, you can't have the main physical interface really configured. If you wanted to add sub-interfaces, you will need to remove any configuration on the physical interface. Preferably set the interface to its default. From there you can create the sub-interfaces and configure security-levels and nameif's under each sub-interface.

However, make sure you back-up all configurations that are tied the nameif of that interface. I believe once you reset the interface back to default, you will lose all your ACLs n whatnot that are tied to that nameif.

Thank you for your reply

Jean Milne — Mon, 05 Jun 2017 06:48:18 GMT

Thank you for your reply dperezoquendo. Vey much appreciated (especially the reminder about backing up).

I have two last questions. I wanted to add the reset you suggested to the beginning but have been unable to find the command..?

I've googled "asa reset interface" "asa interface remove configuration" and a number of variations but only get articles about resetting the whole device.

Also, does it matter if you configure the subinterfaces first or the trunk?

I'm with dperezoquendo. In

James Leinweber — Mon, 05 Jun 2017 17:32:27 GMT

I'm with dperezoquendo. In my own experience converting from an existing non-trunked interface to one with subinterfaces will require bringing down that interface. I usually reload the entire firewall after overwriting the startup-configuration, as that can be faster than editing back in all the stuff destroyed by removing the original interface.

On the firewall interface you are converting from access-mode /single use to trunk mode / multiple use, you would do something like:

interface Gi0/3

no shutdown

no nameif

no security-level

no ip address

That "no nameif ..." statement is the one which has the nasty side effects where you destroy all the related NAT, ip reverse-path, mtu, ike, access-group etc. settings.

On the switch the firewall is connected to, the configuration of the port looks something like:

switchport trunk encapsulation dot1q
switchport trunk native vlan NNN
switchport trunk allowed vlan 1,XXX,YYY
switchport mode trunk
switchport nonegotiate

You have to replace NNN, XXX, and YYY with appropriate vlan tags from your environment. The native vlan should be entirely unused for anything except that. Back at the ASA, the subinterface configuration look something like:

interface Gi0/3.XXX

vlan XXX

...

interface Gi0/3.YYY

vlan YYY

...

I don't think it matters which order you do the switch and the firewall in, though I tend to do the switch first. If you do the firewall first you might need do shutdown the parent physical interface and bring it back up after fixing the switchport. The dot1q and nonegotiate settings on the switchport are key to successful communication with the ASA firewall; it is inflexible and unconfigurable for anything else.

Good luck with the conversion,

-- Jim Leinweber, WI State Lab of Hygiene

Thank you very much for your

Jean Milne — Tue, 06 Jun 2017 11:26:40 GMT

Thank you very much for your reply. I had actually just completed the conversion and was on site so didn't see it when it came in.

You have explained one issue I experienced. I had forgotten the no nameif command (and so an access rule was still attached to e0/3 and I thought it was because I hadn't removed the group). I've added the no nameif to my cookbook of CLI tasks.

The switch is a Netgear switch which I had already setup in the main office. All I had to do was plug it in and it was all set up. Thanks to this forum, I had run through a test experiment and the only unknown was using subinterfaces on the ASA 5510 rather than vlan interfaces on the ASA 5505.

However, we will be upgrading to Cisco switches soon so your config examples are very much appreciated.

Thanks again for your reply.