topic Re: ASA5510:configure two subnets on one Interface in Network Security

ASA5510:configure two subnets on one Interface

David Lin — Mon, 11 Mar 2019 15:59:57 GMT

I am working on ASA5510 which has 3 ethernet interfaces. I have allocated outside, inside, DMZ for each interface. But I want to configure two subnets on inside interface.

I found there are 4 physical ports in the ethernet interface. The light is on when I pluged a device into the fourth port, but I can't do anything on it. Is it possible to use this port?

If not, can we use management interface as a subnetwork interface? or use subinterface on inside interface?

TIA.

Re: ASA5510:configure two subnets on one Interface

JORGE RODRIGUEZ — Tue, 28 Jul 2009 17:06:44 GMT

David,

You have 0,1,2,3 ethernet ports plus manament port interface.

if you already allocated 0 as your outside interface and say the inside is on port 1 you could use dot1q and trunk it to your inside switch, have the subinterfaces in asa inside for your two inside subnets. The 1 or 0 ports can also operate at gig speed interfaces if your asa has sec plus license, if not sec plus license you can still do dot1q trunking.

Gig speed feature

http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn723.html#wp272663

Subinterfaces

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

As for the manangement port technically you can use this port as a routed port just like the other ports as long you remove management only command off that interface, but best is to leave it as management port for management purposes .. my recommendation is to take advantage of gig speed and use trunking for multiple subnets.

Regards

Re: ASA5510:configure two subnets on one Interface

David Lin — Tue, 28 Jul 2009 18:50:47 GMT

Unfortunately, my ASA5510 has ethernet interface only(it's mistake in the oder). So I have to go for subinterface now.

Just curious, how come the unit has 4 physical ports but the IOS only show 3 interfaces are available(ethernet0/0,0/1,0.2)?

Re: ASA5510:configure two subnets on one Interface

JORGE RODRIGUEZ — Tue, 28 Jul 2009 20:06:44 GMT

Hi David thanks for rating, most likely would be the code your asa has.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Based on ASA comparison and licensing, base license should provide 5 10/100 interfaces which includes the management interface.. so technically you should be able to see all 5 interfaces.

On the other hand with Sec Plus license shown in red print from above link you will have 2 10/100/1000baseT interfaces and 3 10/100 including management one..

So I sort of lean to think it is a code limitation probably under the 7.x code which you probably are running.

Regards

Re: ASA5510:configure two subnets on one Interface

David Lin — Tue, 28 Jul 2009 20:28:29 GMT

Thank you. The image is 7.08 and the license is very basic. The e0/3 is not licensed.

I have image asa811-smp-k8.bin and asa802-k8.bin come with a CD in the packaged box. Can I just load it and upgrade to the later verison? Does it help?

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0 : address is 0024.97f0.3e68, irq 9

1: Ext: Ethernet0/1 : address is 0024.97f0.3e69, irq 9

2: Ext: Ethernet0/2 : address is 0024.97f0.3e6a, irq 9

3: Ext: Not licensed : irq 9

4: Ext: Management0/0 : address is 0024.97f0.3e6c, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : 4

Maximum VLANs : 10

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 50

Re: ASA5510:configure two subnets on one Interface

JORGE RODRIGUEZ — Tue, 28 Jul 2009 21:33:28 GMT

If you have cco account for software download access load the latest version 8.2(1) [asa821-k8.bin] along with asdm version 6.2 (asdm-621.bin), even though is ED (early deployment) status I have been running it with no issues.

software download CCO login required

http://tools.cisco.com/support/downloads/go/InterfaceModuleSWT.x?mdfid=279916854&mdfLevel=Model&treeName=Security&modelName=Cisco%20ASA%205510%20Adaptive%20Security%20Appliance&treeMdfId=268438162

looked at asa811-smp-k8.bin code,this code is meant to be loaded on ASA5580-20 and ASA5580-40 models only based on software download description notes. You can try 8.0(2) asa802-k8.bin - this is release notes for 802 for reference http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html

in cd there shoudl be asdm image for 802 version as well, you will need asdm upgrade for 802... but if you have cco access download latest codes.

as usual when upgrading backup current code and asdm immage as well as your config to an tftp server, save the output of "show version" .

loading the imgage to disk0 should be fairly simple , you can do it through asdm gui or cli which is easier, keep in mind if done through cli to update boot statement and asdm statements accordingly to reflect new codes. If you need help let us know.

regards

Re: ASA5510:configure two subnets on one Interface

David Lin — Wed, 29 Jul 2009 17:31:23 GMT

After upgrading the image, I can manage the forth port now!(the license keeps no change, such FO is still disabled)

The another way by using subinterface also works for me.

Thank you for your kind help!

Re: ASA5510:configure two subnets on one Interface

JORGE RODRIGUEZ — Wed, 29 Jul 2009 22:52:18 GMT

David, thanks for updating post, glad all working out with new code.

The failover feature is still disabled becuase it is not suported with base license, to use failover down the road when you get another asa5510 will require security plus license on both to use active/standby architecture.

Again thanks for rating .

Regards