topic Hi,Have you thought about Sub in Network Security

Multiple Subnets through ASA

Andrew Clark — Tue, 12 Mar 2019 04:54:27 GMT

I need to configure a firewall to allow several subnets/vlans through it. I'm having trouble figuring out a way for all of the subnets on one side to go through the ASA.

Here is the situation

RouterA P2P-> RouterB -> ASA -> L2Switch

L2Switch has VLANS 187-199

I'm using an ASA5515-X that only has 6 interfaces so i obviously can't have all these subnets connected.

I tried transparent mode but can only have up to 8 BVI's.

Am i over thinking this?

Hi,Have you thought about Sub

Vibhor Amrodia — Sat, 11 Oct 2014 00:53:01 GMT

Hi,

Have you thought about Sub Interfaces:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html#wp1082576

Thanks and Regards,

Vibhor Amrodia

We typically make a transit

Marvin Rhoads — Sat, 11 Oct 2014 04:24:53 GMT

We typically make a transit VLAN between the switch and the ASA. It has only two L3 addresses - the switch SVI for that VLAN and the ASA inside interface.

You then either run a routing protocol (OSPF or EIGRP) to learn the routes dynamically or else the switch has the ASA address as its default gateway and the ASA has routes (or a summarized route) for the subnets pointing towards the switch.

I agree with Vibhor, you need

Marius Gunnerud — Mon, 13 Oct 2014 08:35:03 GMT

I agree with Vibhor, you need to setup subinterfaces on the ASA and allocate each subinterface to its respective VLAN. The interface on the L2switch which connects to the ASA should be configured as a trunk interface.

That should sort you out.

Please remember to select a correct answer and rate helpful posts

I have done subinterfaces but

Andrew Clark — Mon, 13 Oct 2014 13:22:54 GMT

I have done subinterfaces but i must be over complicating it.

So the L2 switch has it's usual VLANs, then on the inside interface of the ASA i set up subinterfaces with a transition VLAN, then the outside interface of the firewall is the routers uplink port?

I'm going to make a visio of how i invision this going down and upload it here.

If you internal switch is

Marvin Rhoads — Mon, 13 Oct 2014 13:29:33 GMT

If you internal switch is only L2 then yes you use subinterfaces.

You need a trunk port from the switch to the ASA so that it tags all of the VLAN traffic destined for each subinterface on the ASA.

I think i understand now.

Andrew Clark — Mon, 13 Oct 2014 13:37:32 GMT

I think i understand now. Something like this?

The suggestion I made was for

Marvin Rhoads — Mon, 13 Oct 2014 13:40:16 GMT

The suggestion I made was for an ASA in routed mode - not transparent.

98% of the ASA installations I have seen (and I've seen several hundred) are routed mode.

Ok. Does the outside

Andrew Clark — Mon, 13 Oct 2014 14:55:57 GMT

Ok. Does the outside interface need to be trunked as well or no? I understand that the Inside interface needs to be set up with subinterfaces which essentially turns the inside interface into a trunk. But what about the outside interface?

interface GigabitEthernet0/0
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.187
vlan 187
nameif Inside-187
security-level 100
no ip address
!
interface GigabitEthernet0/1.188
vlan 188
nameif Inside-188
security-level 100
no ip address
!
interface GigabitEthernet0/1.189
vlan 189
nameif Inside-189
security-level 100
no ip address
!
interface GigabitEthernet0/1.190
vlan 190
nameif Inside-190
security-level 100
no ip address

No, the outside interface

James Leinweber — Mon, 13 Oct 2014 22:29:04 GMT

No, the outside interface would be not trunked. But the upstream router would need to send all the various subnets to the ASA, and if there is any inbound traffic the ACL's on the outside interface would have to permit it.

-- Jim Leinweber, WI State Lab of Hygiene

As Jim correctly noted, there

Marvin Rhoads — Tue, 14 Oct 2014 03:00:41 GMT

As Jim correctly noted, there's no trunk necessary upstream.

Routing needs to work as needed - typically we NAT on the firewall to either the interface address (dynamic PAT) or to specific addresses in the outside subnet (static NAT). In either of those cases the upstream router never sees the inside subnets - only the addresses on the connected interface whose subnet it shares with the ASA's outside interface.

In routed mode, your interfaces need to have IP addresses.