Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
10
Helpful
5
Replies

ASA 5506 in a one-off deployment with inside and outside on sub-interfaces of same physical port

Dean Romanelli
Level 4
Level 4

‎05-17-2018 10:13 AM - edited ‎02-21-2020 07:46 AM

Hi All,

 

I am co-locating a Cisco ASA 5506 in my provider's NOC for one of my global markets.  The provider prefers to deploy customer firewalls on their topology in the NOC in a one-off fashion, meaning that one single physical interface on the ASA is plugged in, which then has sub-interfaces for inside and outside created in the configuration, and then the provider ensures traffic flows into and out of the it via VRF.

So, my question:  Can I build both inside and outside zones via sub-interface off of the same physical port?  An example of what I'm trying to do is below:

 

interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.172.1 255.255.255.0
!
interface GigabitEthernet1/1.2
vlan 2
nameif outside
security-level 0
ip address 1.2.3.1 255.255.255.252

 

 

 

Labels:
0 Helpful
5 Replies 5

Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎05-17-2018 10:25 AM

I thing you can, but you can not configure the physical interface, you have to create a sub interface for the inside interface also and tagging a vlan to it, I have this configuration in my device and it works:

 

interface Ethernet0/0.417
vlan 417
nameif AAAAAA
security-level 0
ip address 192.168.250.2 255.255.255.128
!
interface Ethernet0/0.881
vlan 881
nameif XXXXX
security-level 0
ip address 10.8.0.220 255.255.255.248
!
interface Ethernet0/0.882
vlan 882
nameif YYYYY
security-level 0
ip address 10.90.10.49 255.255.255.252

 

Best regards,

Dean Romanelli
Level 4
Level 4
In response to Diana Karolina Rojas

‎05-17-2018 12:18 PM

Thanks Diana.  On your configuration below, does your traffic come into one of those sub-interfaces and go out of one of the others? Or is that basically just three sub-interfaced outside-facing zones available for traffic to ingress into? 

0 Helpful

Diana Karolina Rojas
Cisco Employee
Cisco Employee
In response to Dean Romanelli

‎05-17-2018 12:36 PM

Hello Dean,

 

My configuration is what you said "just three sub-interfaced outside-facing zones available for traffic to ingress into"

 

I have not probed that a traffic from one subinterface go out to the others subinterfaces, but I thing this is possible because each subinterface has its own nameif, IP address and security level, even the physical parent interface does not have a inherent configuration to the sub interfaces.

Do not forget to rate useful post.

 

Best Regards,

Dean Romanelli
Level 4
Level 4
In response to Diana Karolina Rojas

‎05-17-2018 12:58 PM

Ok, thanks. Will test and report back. 

0 Helpful

Diana Karolina Rojas
Cisco Employee
Cisco Employee
In response to Dean Romanelli

‎05-17-2018 01:01 PM

Thank you for taking the time to qualify the answers, I will be attend to your feedback.

 

Best Regards!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card