topic Thank you! You have been a in Network Security

ASA 5510 with two subnets behind 'inside' interface?

Albert Succar — Tue, 12 Mar 2019 04:44:33 GMT

Hi All,

We currently have an ASA 5510 sitting in front of a catalyst 2960 unmanaged switch. Would it be possible to assign multiple subnets to the inside interface of the ASA without the need to purchase more equipment (an additional router)? I ask because we are in the process of changing our internal subnet and we would like to do so with minimal downtime. So allowing us to have both networks up and slowly transition everything to the new subnet would be our best approach. All help/suggestions is appreciated. Thank you in advance!

Sure it is possible.You just

Marius Gunnerud — Thu, 11 Sep 2014 13:17:37 GMT

Sure it is possible.

You just need to create subinterfaces on the ASA and place those subinterfaces in their respective VLANs. You also need to trunk the port on the 2960 which connects to the ASA to allow the VLANs to pass over the link.

int gig0/1
no shut

int gig0/1.10
vlan 10
security-level 100
nameif inside1
ip add 10.10.10.1 255.255.255.0

int gig0/1.20
vlan 20
security-level 100
nameif inside2
ip add 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface

As simple as that 🙂 Also remember to configure NAT and any required ACLs for the interfaces. If you require help with these just let us know

Please remember to select a correct answer and rate helpful posts

Thank you for clarifying that

Albert Succar — Thu, 11 Sep 2014 13:34:54 GMT

Thank you for clarifying that for me. Currently, here is our inside interface:

interface Ethernet0/1
nameif NJinternalIPs
security-level 100
ip address 192.168.1.2 255.255.255.0

As you can see, no VLAN was setup for this interface. If I was to go with your approach, would I need to create 2 new sub-interfaces with their own associated VLAN? Or could I leave the existing interface and create 1 sub-interface with its own VLAN? I hope I worded that question correctly.

I have never tested this, So

Marius Gunnerud — Thu, 11 Sep 2014 13:51:22 GMT

I have never tested this, So might do so soon 🙂 , I am not sure if the main interface will be tagged with the native VLAN...So to be on the safe side, I would suggest creating subinterfaces for both VLANs

Please remember to select a correct answer and rate helpful posts

Based on what I've been

Albert Succar — Thu, 11 Sep 2014 13:56:12 GMT

Based on what I've been reading, this may be the best approach.

There are several switches behind the 2960 switch. Would any configuration need to be done on these switches as-well? Or would I just need to trunk the port going from 2960 -> ASA.

You would just need to make

Marius Gunnerud — Thu, 11 Sep 2014 14:00:09 GMT

You would just need to make sure that all the required VLANs are trunked to the 2960 switch connected to the ASA and that these same VLANs are also trunked to the ASA, and that the ASA has a subinterface for each VLAN.

And it should go without saying that each subinterface on the ASA will be the default gateway for hosts in their respective VLANs

Please remember to select a correct answer and rate helpful posts

Thank you for your help. As

Albert Succar — Thu, 11 Sep 2014 14:11:30 GMT

Thank you for your help. As you can tell, I'm fairly new to this process so please bear with me.

If I understand you correctly, all switches behind the 2960 do not need to be adjusted. Host traffic will flow through these switches and hit the 2960. The port going from 2960 to ASA will be trunked and the ASA will have the sub-interfaces configured for each VLAN.

Will I also need to create these VLANS on the switch itself? Again, sorry for the stupid questions. I am trying to get a good understanding before moving forward.

Not to worry, there are no

Marius Gunnerud — Thu, 11 Sep 2014 14:17:39 GMT

Not to worry, there are no stupid questions 🙂

The VLANs will need to configured on all the switches and all the ports that connect between the switches need to be trunked. this is important, otherwise the VLAN traffic will not be transported to the next switch. It is possible that this is already done.

int gig0/1
description "Link between switches"
switchport mode trunk
switchport trunk encapsulation dot1q

Please remember to select a correct answer and rate helpful posts

Thank you! You have been a

Albert Succar — Thu, 11 Sep 2014 14:24:06 GMT

Thank you! You have been a great help!