topic The physical interface needs in Network Security

ASA sub interface

JDMJeffy84 — Tue, 12 Mar 2019 00:44:01 GMT

Hello,

I need advice if my configuration will work or not. Currently have a interface on ASA configured with:

interface GigabitEthernet0/1

description INSIDE
speed 1000

duplex full

mac-address xxxx.xxxx.xxxx

nameif inside

security-level 100

ip address 192.168.x.x 255.255.255.0 standby 192.168.x.x

If I change this to a subinterface will this work?

interface GigabitEthernet0/1
description 802.1q Trunking Interface for test networks

no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.x
description INSIDE
speed 1000
duplex full
mac-address xxxx.xxxx.xxxx

nameif inside
security-level 100

ip address 192.168.x.x 255.255.255.0 standby 192.168.x.x

This config should be copied to standby ASA? both are in a ACTIVE/STANDBY failover

Thanks

Re: ASA sub interface

Jouni Forss — Mon, 07 Jan 2013 12:59:21 GMT

Hi,

When configuring the ASA for Trunking, the Physical interface should have no real configurations. You could give it a good description that says that its a Trunk (as you have written later in the post) and configure the speed/duplex if needed.

Using some made up names a Trunk might look something like this

interface GigabitEthernet0/0

description LAN Trunk

no nameif

no security-level

no ip add

speed 1000

duplex full

interface GigabitEthernet0/0.100

vlan 100

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

interface GigabitEthernet0/0.200

vlan 200

nameif dmz

security-level 50

ip add 192.168.10.1 255.255.255.0 standby 192.168.10.2

To sum it up

Main Physical interface usually has no real configurations other than Speed/Duplex/description
Subinterfaces are good to name with the Vlan ID they are going to have under them (Gi0/0.100 = Vlan ID 100)

If you have Failover configured between 2 ASA firewalls and its working correctly you should be able to do all configurations on the Active ASA and they will replicated to the Standby ASA

Please rate if the information was helpfull and/or ask more if needed

- Jouni

ASA sub interface

shamax_1983 — Tue, 08 Jan 2013 09:29:17 GMT

In addition to Jouni's instructions,

If you want to use vlan1 ( default vlan ) for some network this is how you should do this.

interface GigabitEthernet0/0

description LAN Trunk with vlan 1

nameif someInterface

security-level 100

ip add 172.16.1.1 255.255.255.0 standby 172.16.1.2

speed 1000

duplex full

interface GigabitEthernet0/0.100

vlan 100

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

Never do this..

interface GigabitEthernet0/0

description LAN Trunk

no nameif

no security-level

no ip add

speed 1000

duplex full

interface GigabitEthernet0/0.1

vlan 1

nameif someInterface

security-level 100

ip add 172.16.1.1 255.255.255.0 standby 172.16.1.2

interface GigabitEthernet0/0.100

vlan 100

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

I know it seems correct but it will never work..

With this config.. The traffic on the VLAN 1 will not work and not be seen by the ASA. I have done this mistake in the past and wasted hours troubleshooting

If you want to use vlan1, configure it on the physical interface it self..

Please rate this post if helpful..

Thanks

Shamal

ASA sub interface

JDMJeffy84 — Tue, 08 Jan 2013 10:51:49 GMT

Hi,

I made the changes and the sub interface was fine. But, moving the physical interface to sub-interface the ASA deleted all my rules bound to that interface? and lost the NAT rules?

Currently running 8.4(4)

Re: ASA sub interface

Jouni Forss — Tue, 08 Jan 2013 10:59:27 GMT

Hi,

If you want to recover the configuration I would suggest perhaps either rebooting the device (if you havent already saved the configuration that lacks all configurations related to the "nameif")

Or you could check the original startup configuration and gather all the lost configurations from there and "drop" them back to the firewall.

When you remove the "nameif" configuration it removes all configurations related to it from the firewall. Theres no real way of transfering the "nameif" to another interface. Just have to copy/paste the configurations back after the interface -> subinterface change.

You've probably lost all the NAT rules. Also the "access-group" command has dissapeared but the ACL itself meant for the interface should still be on the ASA. There might be other configurations that also dissapeared. Other most common might be telnet/ssh/http management configurations etc.

- Jouni

That is because when you use

Android4255 — Wed, 21 Jan 2015 01:58:22 GMT

That is because when you use subinterface you trunk the switch. Vlan 1 is the native and by configuring the physical interface that causes the asa to pass untagged traffic. Never use Vlan 1 and always change native Vlan on uplinks.

The physical interface needs

Android4255 — Wed, 21 Jan 2015 03:30:23 GMT

The physical interface needs to match the native Vlan.