ASA 5540 subinterface issue

angrynetguy — Mon, 11 Mar 2019 13:39:47 GMT

Hello.

I'm not very familiar with firewalls, but I've inherited a network with an active/standby 5540 configuration. It looks like the 0/3 interface on the standby firewall is bad, so I recently tried to move the subinterfaces on that interface to the 0/2 interface. (They each only have 3 subifs, and there shouldn't be bandwidth concerns, as there's a bottleneck upstream.) When I did this in a management window (performing the change on the active firewall, and allowing it to replicate to the standby), I changed the subinterface numbers to match their associated VLAN numbers, for both the existing and the migrated subifs on the 0/2 interface. I was able to ping servers on all VLANs from the firewall, but a colleague trying to get in from outside was unable to access them.

Other than the subinterface numbering, and the physical interface on which they reside, nothing in the firewall configuration changed. I don't understand why this would work one way, and not the other.

Any advice I get would be appreciated. I'll do my best to answer any questions.

Re: ASA 5540 subinterface issue

markjoblin7 — Mon, 08 Sep 2008 01:13:43 GMT

Hi there,

I made a similar change on a ASA5510 last week. I changed a physical interface to subinterfaces. Then I found all the all the statics and NAT associated with the physical int were removed from the config. This may explain why your colleague couldn't access them from the outside.

topic Re: ASA 5540 subinterface issue in Network Security

ASA 5540 subinterface issue

Re: ASA 5540 subinterface issue