topic Re: Configure sub-interfaces in Cisco ASA 5520 in Network Security

Configure sub-interfaces in Cisco ASA 5520

yolande_n — Mon, 11 Mar 2019 23:11:03 GMT

Hi,

I have a cisco ASA 5520 that i'm configuring.

From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.

I'd like to know how I can configure it in an ASA

Thanks

Re: Configure sub-interfaces in Cisco ASA 5520

rizwanr74 — Thu, 24 May 2012 13:17:08 GMT

Hi Yolande,

Here is one example below.

interface Ethernet0/0

speed 100

duplex full

no nameif

no security-level

no ip address

interface Ethernet0/0.1

vlan 1

nameif management

security-level 100

ip address 10.10.10.1 255.255.255.252

I hope this answers your question.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

Re: Configure sub-interfaces in Cisco ASA 5520

yolande_n — Thu, 24 May 2012 13:23:11 GMT

Hi rizwanr74,

in your configuration, you add vlan1. should I always put the vlan?

I have about 10 sub interfaces to configure with the ASA; i am wondering if i should create 10 vlans

thanks

Re: Configure sub-interfaces in Cisco ASA 5520

rizwanr74 — Thu, 24 May 2012 13:32:14 GMT

"in your configuration, you add vlan1. should I always put the vlan?"

Yes, you must have a vlan number and ASA's port in the example it is "interface Ethernet0/0" will be connected a trunk port on to a switch.

With layer2 vlan number, your internal switch will know for which vlan it must forward to packet to.

"I have about 10 sub interfaces to configure with the ASA; i am wondering if i should create 10 vlans"

Natually you will have to create ten subinerfaces with layer2 vlan number.

Hope that answers your question.

thanks

Rizwan Rafeek

Re: Configure sub-interfaces in Cisco ASA 5520

yolande_n — Thu, 24 May 2012 13:39:16 GMT

if i resume, i should just create a layer 2 vlan and then my 10 subinterfaces with be linked to the vlan number?

Configure sub-interfaces in Cisco ASA 5520

rizwanr74 — Thu, 24 May 2012 14:14:55 GMT

"if i resume, i should just create a layer 2 vlan and then my 10 subinterfaces with be linked to the vlan number?"

You do not create the layer2 vlan numbers sperately on the ASA, but rather you assing a subinterface itself to a layer2 vlan number (as shown below), by doing so your trunk port on your switch will know for switch layer2 vlan a given packet is coming on the trunk port.

interface Ethernet0/0.200

vlan 200

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.252

interface Ethernet0/1.300

vlan 300

nameif management

security-level 100

ip address 10.30.30.1 255.255.255.252

Hope this answers your question.

thanks

Rizwan Rafeek

Please rate helful post.

Configure sub-interfaces in Cisco ASA 5520

yolande_n — Fri, 25 May 2012 07:22:07 GMT

thanks for your answer but my concern if that those vlan (200, 300 on your example) are there also in my lan? because on my lan, i have some Vlan which are not on my actual firewall.

Re: Configure sub-interfaces in Cisco ASA 5520

rizwanr74 — Fri, 25 May 2012 15:04:40 GMT

You would want to create a vlan in the Firewall at first place, only if you have those vlan locally exists on your LAN or WAN for peering with given segments.

If you do create a vlan just only on your Firewall without that particular vlan exists on your LAN or WAN, where does the traffic from such vlan can communicate with for peering? Answers is nowhere.

I hope that answers your question or concern.

thanks

Rizwan Rafeek.

Please rate helful post.

Re: Configure sub-interfaces in Cisco ASA 5520

robertkwilcox1 — Tue, 01 May 2018 23:10:06 GMT

Re: Configure sub-interfaces in Cisco ASA 5520

Florin Barhala — Thu, 03 May 2018 09:00:44 GMT

Can you share the configuration of the switch port that is connected to the Linux eth0 interface?
I want to find out if you're using tagged traffic or you have just secondary IP addresses on your Linux interface (same vlan).

Thanks!