topic ASA Version 9.0(3)!hostname in Network Security

can't create subinterface from Cisco5510

j10151983 — Tue, 12 Mar 2019 04:35:23 GMT

Hi Guys, need your help. I have a newly purchased Cisco5510 and I am configuring it as usual from the other high end ASA. But from this ASA, I cannot create a subinterface and cannot configure nameif from the main interface. Is it really a behaviour of Cisco5510? Another problem I have is, I have downgraded the IOS from Version 9.0 to 8.25 as per our company standard. I was able to load the ios and boot to this IOS, however upon checking, the software version is still 9.0.

Hi, If you are configuring

Jouni Forss — Wed, 06 Aug 2014 16:49:29 GMT

Hi,

If you are configuring sub interfaces on the ASA they should be configured in the following way

interface Ethernet0/0.100
vlan 100
nameif <name>
security-level <level>
ip address <ip> <mask>

Are you sure that you have configured the "vlan" under the sub interface before you try to configure "nameif" or any other parameters? I wonder if having the firewall in Transparent mode would affect this also? Or is the firewall in its default Routed mode?

Also with regards to your software level problem. I would presume that the problem is that you have not removed the higher level software from the boot settings

Try the command

show run boot

If you can see the file for the software 9.0 mentioned then remove it. It might be first on the list and then after that the 8.2 and because of that the new software might still be booting up.

Hope this helps 🙂

- Jouni

Firewall didn't accept

j10151983 — Wed, 06 Aug 2014 17:29:26 GMT

Firewall didn't accept "interface eth0/0.100" or any other subinterface, same thing when I go to main interface and try doing nameif, no available syntax for that. With regards to IOS, yes I removed the previous IOS, from the show bootvar, it shows 8.2 image only. Actually, when I reload the firewall, it shows it is loading from 8.2 image. I will share the result once back to office.

The interface that you want

burleyman — Wed, 06 Aug 2014 17:45:00 GMT

The interface that you want to create sub interfaces should look like this

int eth0/0

no nameif

security-level XX <-- what ever level you want here

no ip address

now add the sub-interfaces

interface Ethernet0/0.100
description Interface to ???
vlan 100
nameif XXX <-- what you want to name it
security-level XX <-- what ever security level you want
ip address <ipaddress> <Mask>

no shut

hope this helps

mike

Sorry it does not HAVE to be

burleyman — Wed, 06 Aug 2014 17:50:15 GMT

Sorry it does not HAVE to be that.... I was just seeing if that worked for you.

Can you post the config for that port?

Also check to make sure the main port is not shutdown

Mike

ASA Version 9.0(3)!hostname

j10151983 — Thu, 07 Aug 2014 10:45:59 GMT

ASA Version 9.0(3)
!
hostname BUFW7001
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 522
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 523
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan522
nameif Inside_Int
security-level 100
ip address 10.204.51.57 255.255.255.248
!
interface Vlan523
nameif Outside_Int
security-level 0
ip address 10.209.47.1 255.255.255.252
!
boot system disk0:/asa825-k8.bin
ftp mode passive

Hi, You wont be able to

Jouni Forss — Thu, 07 Aug 2014 12:08:56 GMT

Hi,

You wont be able to create subinterfaces on the ASA5505 model as its a firewall with a built in switch module. Therefore it acts like a L3 switch and you configure Vlan interfaces instead of subinterfaces of actual physical ports. Seems there was some missunderstanding related to the ASA model. ASA5505 has switch ports and you can configure Trunk interfaces with the proper license (Security Plus). No other basic ASA model (other than the FWSM and ASASM) support Vlan interface to my understanding.

Depending if the ASA is using Base License or Security Plus license your allowed Vlan interface limit may vary. On the Base License its 3 vlans (of which one is resricted) and on Security Plus I think the limitation was 20 Vlans.

Hope this helps 🙂

- Jouni