08-02-2013 01:21 PM - edited 03-12-2019 06:05 PM
Hello,
On our ASA 5520 I have the following config:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 218.257.136.133 255.255.255.224 standby 218.257.136.134
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.231.52.1 255.255.255.0 standby 10.231.52.3
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
Both g0/0 and 0/1 are connected to a cisco 4500 core switch physically. Now I'm not sure how to approach having two separated vlans in the DMZ that I would want to put on g0/2. One would be 172.16.30.0/24 and other 172.16.33.0/24. I was thinking of creating subinterfaces on the ASA and assigning proper IP on each one and on the switch side I would make the interface a trunk allowing both vlans. The problem is I canot create a subinterface on the ASA - it does not allow me to apply the changes in ASDM and CLI says:
Haddad/2(config)# int g 0/2.1
^
ERROR: % Invalid input detected at '^' marker.
Haddad/2(config)#
Any idea wh I would not be able to create the subinterface on the ASA, or perhaps any other suggestion how I could make the DMZ with 2 vlans? Also there is 4 physical interfaces on the ASA yet I only see 3 in the config and in ASDM and I'm not sure why. I just took over and i don't have any kind of a documentation for the network so any help would be greatly appreciated. thanks in advance
Voyteck
08-02-2013 01:25 PM
Hi,
Would this by any chance be a ASA pair running in Multiple Context mode?
An Active/Active pair?
This would mean that you CAN NOT configure new interface under a Security Context but rather you would have to configure subinterfaces with Vlans under System Context space and attach those subinterfaces under the Security Context that needs them. Then those Subinterfaces would show up under the Security Context configuration and could be assigned "nameif" , "security-level" and "ip address" amont other things.
- Jouni
08-02-2013 01:28 PM
Yes, but I believe they would be in the active/standby but I might be wrong
08-02-2013 01:37 PM
Hi,
Well if you can use CLI then this can be checked by going to the System Context configuration space and issuing the command
show run context
It should show if Security Contexts are configured to different Failover Groups.
Or you might be able to check this with command
show run failover
But wether its a Active/Standby or Active/Active you would have to configure new interfaces on the System Context first
You for example check the configuration of GigabitEthernet0/2 in the System Context
show run interface GigabitEthernet0/2
If it doesnt have any configurations you could for example do
Configuring Interfaces in System Context
interface GigabitEthernet0/2
description DMZ Trunk
interface GigabitEthernet0/2.100
description DMZ1
vlan 100
interface GigabitEthernet0/2.200
description DMZ2
vlan 200
Adding Subinterfaces Under the Security Context
context CONTEXT-NAME
allocate-interface GigabitEthernet0/2.100
allocate-interface GigabitEthernet0/2.200
Moving to under the Security Context
changeto context CONTEXT-NAME
Configuring the Subinterfaces under Security Context
interface GigabitEthernet0/2.100
description DMZ1
nameif dmz1
security-level 50
ip add 172.16.30.1 255.255.255.0 standby 172.16.30.2
interface GigabitEthernet0/2.200
description DMZ2
nameif dmz2
security-level 50
ip add 172.16.33.1 255.255.255.0 standby 172.16.33.2
I would suggest going through the setup though and not just configuring these in the ASA.
The above should give you an example of adding the interfaces in a Multiple Context mode ASA
Hope this helps
- Jouni
08-06-2013 07:47 AM
Hi,
Thank you for the reply.
I cannot change the context to system - it does not allow me
Haddad/2# changeto system
Command not valid in current execution space
Haddad/2#
Any suggestions here? Thanks in advance
08-06-2013 08:06 AM
Hi,
Does the following command produce any output
show run prompt
It would seem to me that you would be under some Security Context as "Haddad/2" cant be a "hostname" of ASA.
- Jouni
08-06-2013 08:09 AM
I get this:
Haddad/2# sho run prompt
^
ERROR: % Invalid input detected at '^' marker.
Haddad/2# sho run prompt
^
ERROR: % Invalid input detected at '^' marker.
08-06-2013 08:14 AM
"^" is under prompt
08-06-2013 08:22 AM
Well this is strange.
For example the command
prompt
The only configuration mode under which this cant be used is under a Security Context
Yet you cant even change to the System Context space?
I guess we would need to see the firewall configuration because I am not sure what the problem is. If you cant even create an subinterface of a physical interface that the ASA holds then it would point to a situation that you are under a Security Context which doesnt allow creating an interface.
- Jouni
08-06-2013 08:42 AM
If I do show context I get the following:
Haddad/2# sho context
Context Name Class Interfaces URL
2 default GigabitEthernet0/0, disk0:/context2.cfg
GigabitEthernet0/1,
GigabitEthernet0/2
Haddad/2#
So it looks like there is a context on this device nammed "2." I still cannot change to system though. If I go to the failover device I change contexts with no problem:
Haddad/admin# sho context
Context Name Class Interfaces URL
*admin default GigabitEthernet0/0, disk0:/admin.cfg
GigabitEthernet0/1,
GigabitEthernet0/2
Haddad/admin# change
Haddad/admin# changeto sys
Haddad/admin# changeto system
Haddad# change to admin
^
ERROR: % Invalid input detected at '^' marker.
Haddad# changeto admin
^
ERROR: % Invalid input detected at '^' marker.
Haddad# changeto conte
Haddad# changeto context admin
Haddad/admin#
Haddad/2# sho context
Context Name Class Interfaces URL
2 default GigabitEthernet0/0, disk0:/context2.cfg
GigabitEthernet0/1,
GigabitEthernet0/2
Haddad/2#
Maybe I could add another context that I could switch to system from? Also if I create a new context a my device is running in prod and I'm doing this during business hours any risks I should be aware of (like device having to reboot, disconnecting user sessions, etc). Thank you
08-06-2013 08:54 AM
Hi,
Seems you use a bit wrong command formats above (though you found the correct one)
The following command should be able to change you to System Context from under any Security Context
changeto system
The following command should be able to change you to the Security Context of your choice from any other Context or System Context
changeto context
The following command should enable you to show a cleare output of all the contexts configured on the device. Use it in System Context space
show run context
To my understanding your purpose was to use the Gi0/2 as a Trunk for DMZ purposes. So first you would need to check its configurations. If its already in some use then it will be harder to do the change in a production environment
You can use the following command in System Context space to list the current interface configurations
show run interface
To my understanding all commands should be supported whichever unit you are logged in on. Naturally all configuratins should be done on the Active unit or the configuration will be out of sync.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide