topic Thanks for your quick in Network Security

Cisco ASA 5506-X Config Questions

Tue, 12 Mar 2019 09:24:03 GMT

I have upgraded from a 5505 to a 5506-X that I have on a small test network at home. I was able to configure the internal and external interfaces and have access to the internet and DHCP. I'm looking to configure the following networks: PC/Printer, Wireless and CCTV. By the way my 5506 is not wireless so I will be configuring a Meru controller as my wireless network. I see that the new 5506 does not have the VLAN tag option on the Advanced button like on the 5505. I've read that you can add sub-interfaces to create VLANs on the 5506. Form the examples I have seen, is it possible to add VLANs to the internal interface Gig1/2 (internal), Gig1/3 (wireless), Gig1/4 (cctv) without having to create sub-interfaces? If so, what are the commands?

Below is the Configuration example showing VLANs:

http://www.cisco.com/c/en/us/support/docs/security/asa-5506-x-firepower-services/200417-Configure-the-ASA-5506W-X-with-a-Non-Def.html

You can't create VLAN and

Ashish Jhaldiyal — Mon, 22 May 2017 19:12:51 GMT

You can't create VLAN and then assign ports to VLANs like 5505, You can create port-channel with ports gig 1/2,3 and 4 and then create sub-interface on port-channel.

Ashish

Thanks for your quick

Mon, 22 May 2017 19:37:54 GMT

Thanks for your quick response. I was able to find this article referring to what you spoke of:

http://www.petenetlive.com/KB/Article/0001085

Create Sub interface for VLAN 2

Petes-ASA(config)# interface gigabitEthernet 1.2

Petes-ASA(config-subif)# vlan 2

Petes-ASA(config-subif)# nameif Corp-LAN INFO: Security level for "Corp-LAN" set to 0 by default.

Petes-ASA(config-subif)# security-level 100

Petes-ASA(config-subif)# ip address 10.2.2.254 255.255.0.0

Petes-ASA(config-subif)# exit Petes-ASA(config)#

Create Sub interface for VLAN 3

Petes-ASA(config)# interface gigabitEthernet 1.3

Petes-ASA(config-subif)# vlan 3

Petes-ASA(config-subif)# nameif Corp-WiFi INFO: Security level for "Corp-Wifi” set to 0 by default.

Petes-ASA(config-subif)# security-level 90

Petes-ASA(config-subif)# ip address 10.3.3.254 255.255.0.0

Petes-ASA(config-subif)# exit

Need clarification: "To create sub interfaces on a physical interface, that interface must have no settings on it (other than it should not be shutdown)."

Does that mean I leave the config empty on interface Gig1/1 and create sub-interfaces for all my networks (data, wireless, cctv)?

If so, how do I configure my uplink on my Cisco switch? Do I configure as a Trunk with command Switchport Access VLAN X,X,X

Switchport Trunk Allowed

Or will I need a Native VLAN command?

You are correct, you don't do

Ashish Jhaldiyal — Mon, 22 May 2017 20:40:52 GMT

You are correct, you don't do any configuration on the physical port, configure IP, VLAN and security level under sub-interface.

On switch you have to configure ports as below

switchport mode trunk

switchport trunk allowed vlan x

Thank you Ashish, what worked

Tue, 23 May 2017 13:52:21 GMT

Thank you Ashish, what worked. But now I cannot ping one network from the other. What is the command to allow all the networks to see each other?