topic Revisiting basics in interface configuration in Network Security

Revisiting basics in interface configuration

gregdzurinda — Mon, 11 Mar 2019 21:11:13 GMT

I have an ASA5520 (8.2 version of firmware) whose physical ports are all taken. I want to add a subinterface, but I believe I have set it up incorrectly:

interface GigabitEthernet0/0

description Ethernet to 2800 router (internet gateway)

speed 1000

duplex full

nameif outside

security-level 0

ip address 106.x.x.50 255.255.255.248

interface GigabitEthernet0/1

description Ethernet to 3750 switch for admin 207

speed 1000

duplex full

nameif admin

security-level 96

ip address 96.x.x.1 255.255.255.0

interface GigabitEthernet0/1.60

vlan 60

nameif vlan60

security-level 100

ip address 192.168.1.10 255.255.0.0

interface GigabitEthernet0/2

description Ethernet to 3750 switch for student 10

speed 1000

duplex full

nameif inside

security-level 75

ip address 10.0.0.10 255.0.0.0

interface GigabitEthernet0/3

description Ethernet to 3750 switch for admin 63

speed 1000

duplex full

nameif Admin2

security-level 98

ip address 109.x.x.1 255.255.255.0

interface GigabitEthernet0/0

description Ethernet to 2800 router (internet gateway)

speed 1000

duplex full

nameif outside

security-level 0

ip address 106.x.x.50 255.255.255.248

interface GigabitEthernet0/1

description Ethernet to 3750 switch for admin 207

speed 1000

duplex full

nameif admin

security-level 96

ip address 96.x.x.1 255.255.255.0

interface GigabitEthernet0/1.60

vlan 60

nameif vlan60

security-level 100

ip address 192.168.1.10 255.255.0.0

interface GigabitEthernet0/2

description Ethernet to 3750 switch for student 10

speed 1000

duplex full

nameif inside

security-level 75

ip address 10.0.0.10 255.0.0.0

interface GigabitEthernet0/3

description Ethernet to 3750 switch for admin 63

speed 1000

duplex full

nameif Admin2

security-level 98

ip address 109.x.x.1 255.255.255.0

------------------------------------------------------------------------

Gi0/1.60 is the int I added. I believe that I have to remove the IP address from the physical interface (gi0/1) before I assign IP addresses to subinterfaces- can anyone confirm this? I suppose if I have to do that, I will have to add a separate subinterface to accomodate the already existing 96.x.x.1 net. If that notion is correct, and I do that, I should be able to ping from any device assigned to VLAN 60 to any device belonging to a VLAN in a lower security-level interface, correct?

Revisiting basics in interface configuration

varrao — Sat, 13 Aug 2011 03:38:43 GMT

Hi Greg,

Yes you would need to remove the ip address from the physical interface gig0/1 and create two sub-interfaces. The best practic that I follow is, first copy the config related to interface admin by :

show run interface | in admin

copy the config, then create sub-interface, because when you create the sub-interface, the physical interface configuration would be wiped out. Modify the config and apply it to the new interface, and then create as many new logical interfaces you want.

The two interfaces won't ping each other just because of higher to lower traffic flow, you would need to do nat translation for the traffic (if nat-control enabled) and allow the return ping packets. Lets say you have nat-conttrol enabled and you ping from vlan60 to admin, you would need:

nat (vlan60) 1 0.0.0.0 0.0.0.0

global (admin) 1 interface

access-list test permit icmp any any echo-reply

access-group test in interface admin

and this would allow your ping traffic.

Hope this helps.

Thanks,

Varun

Revisiting basics in interface configuration

gregdzurinda — Mon, 15 Aug 2011 08:13:18 GMT

My head scratching on this begins with the fact that I have aleady configured the subinterface on the firewall. The configs I added above are actually from the ASA. I received no messages that I could not add a subinterface under the condition that I already had IP configured on Gi0/1, AND it didn't break the segment already live (96.x.x.1). Plus, when I ping from a laptop connected to VLAN 60 (192.168.1.x), I don't get a reply, but I see the translation in the Xlate table.

The reason I mention this is a buddy said that despite clinical thought that adding a subinterface to a physical interface "won't work", he has seen it work before. I can't say it's actually working, but how am I seeing my laptop's IP in the xlate table?

Re: Revisiting basics in interface configuration

Jon Marshall — Mon, 15 Aug 2011 11:34:11 GMT

Gregory

If the ASA works in the same way as IOS then you should indeed be able to assign an ip to the physical interface and then use subinterfaces for other vlans. It is not the standard way of doing it but it doesn't mean it wouldn't work.

The reason you can do this is because if you have the physical interface with an IP and then subinterfaces the physical interface is assumed to be in the native vlan ie. the packets will not be tagged. So any packets coming from the native vlan on the switch will go to the physical interface and any tagged packets will be matched to the corresponding subinterface, assuming you have a subinterface for the tagged vlan.

Jon

Revisiting basics in interface configuration

varrao — Mon, 15 Aug 2011 17:50:54 GMT

What Jon, said about physical interface being assumed as a native vlan and packets hitting the interface untagged is absolutely spot on. You would be able to assign the ip address to both the sub-interface and physiocal interface, but you shoudl never do that, because of the same reason. Always create, different logical interfaces and then do your routing on ASA. This is never recommended by us.

-Varun