cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
77417
Views
251
Helpful
93
Replies

ASA 5506-X - Switchports?

danplacek
Level 4
Level 4

Just got my hands on a new ASA 5506-X and immediately ran into an odd issue:

 

There are eight layer 3 ports that seemingly cannot be used as switch ports.

There is no bridge-group capability available either. (which, if present, could be used to resolve this issue)

 

Why does this device even have 8 ports if they cannot be used as switchports?

Is this going to be fixed in future software? (By adding bridge groups?)

Can anyone think of any other "clever" workarounds?

 

Between this issue and the lack of POE, this device seems to be significantly less useful than the ASA5505.

 

Thank you.

93 Replies 93

As discussed here and elsewhere, you would be perfectly right if it were not that Cisco is positioning this device as a replacement for the 5505.

 

I have a 5506-X sitting on my desk.  It's a nice piece of hardware, but in spirit, all we really wanted is a 5505 with gigabit.  Why is that so hard?

I hear you. Apparently Cisco had other plans and wanted to replace a SoHo 5505 with a non-direct replacement with more horsepower and options, but left off some of the SoHo attractiveness of the 5505.

 

Maybe they'll get it right with a 5507-X? ;)

Not funny for anyone who bought a 5506 thinking it was a drop in upgrade from the 5505.

 

Also not funny for anyone who is yet to learn this.

pchristian1
Level 1
Level 1

So do you have to use a particular switch, since the 5506-X lan ports do not support switching? Or can you just use a dumb/non-managed switch?

If all you need is a single VLAN, no Power over Ethernet etc. then a dumb switch is fine.

If you need multiple VLANs, LACP/LAG, PoE etc. then you select the switch accordingly.

jacobdecker
Level 1
Level 1

Has anyone had any experience with the ASA 5508-X? Do it's interfaces support switching?

Ryan Coverdale
Level 1
Level 1

All,

I ran into the same problem and I came up with the following work-around/ solution. 

Create separate inside networks with the same '100' value for the security-zone, like you normally would on your inside interface. Set up NAT, dhcpd, etc. for each inside interface. (inside, inside1, inside2,....) I used ascending subnets: 10.10.10.0/24, 10.10.11.0/24, .... for each interface. 

Use the commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

to allow traffic to pass between the vlans. This will allow traffic across the subnets and allow your devices to communicate. You will not get broadcast traffic, but as long as you're looking for an IP address it should route between the interfaces. 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif inside2
 security-level 100
 ip address 10.10.11.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface 
!
object network InsideNetwork10.10.10.X
 subnet 10.10.10.0 255.255.255.0
object network InsideNetwork10.10.10.X
 nat (inside,outside) dynamic interface
!
object network InsideNetwork10.10.11.X
 subnet 10.10.11.0 255.255.255.0 
object network InsideNetwork10.10.11.X
 nat (inside2,outside) dynamic interface 
!
dhcpd address 10.10.10.50-10.10.10.199 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd enable inside
!
dhcpd address 10.10.11.50-10.10.11.199 inside2
dhcpd dns 8.8.8.8 4.2.2.2 interface inside2
dhcpd enable inside2 
 
Hope this helps. 
 
And to throw in 2 cents on the banter of this thread. You NEED to use the SFR module at ALL of your customers. Cheap switchports and POE do not resonate in comparison to the security vulnerabilities of using only a traditional firewall to secure your network. Tell your customers "It's harder to stay secure, it's more costly than ever to be breached, so it simply costs a bit more to stay secure as possible." 
 

last paragraph -> absosecurelutely true

Nay-Sayer
Level 1
Level 1

Has there been any movement from Cisco on this issue?  I just had a couple of 5506s dropped on my desk and, without switching functionality, they're about as useful as paperweights...

Posted this two months ago, does it help you?

I ran into the same problem and I came up with the following work-around/ solution. 

Create separate inside networks with the same '100' value for the security-zone, like you normally would on your inside interface. Set up NAT, dhcpd, etc. for each inside interface. (inside, inside1, inside2,....) I used ascending subnets: 10.10.10.0/24, 10.10.11.0/24, .... for each interface. 

Use the commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

to allow traffic to pass between the vlans. This will allow traffic across the subnets and allow your devices to communicate. You will not get broadcast traffic, but as long as you're looking for an IP address it should route between the interfaces. 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif inside2
 security-level 100
 ip address 10.10.11.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface 
!
object network InsideNetwork10.10.10.X
 subnet 10.10.10.0 255.255.255.0
object network InsideNetwork10.10.10.X
 nat (inside,outside) dynamic interface
!
object network InsideNetwork10.10.11.X
 subnet 10.10.11.0 255.255.255.0 
object network InsideNetwork10.10.11.X
 nat (inside2,outside) dynamic interface 
!
dhcpd address 10.10.10.50-10.10.10.199 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd enable inside
!
dhcpd address 10.10.11.50-10.10.11.199 inside2
dhcpd dns 8.8.8.8 4.2.2.2 interface inside2
dhcpd enable inside2 
 
Hope this helps. 

This doesn't address the problem of needing multiple interfaces in the same VLAN...

"I came up with the following work-around/ solution. " 

"to allow traffic to pass between the vlans. This will allow traffic across the subnets and allow your devices to communicate. You will not get broadcast traffic, but as long as you're looking for an IP address it should route between the interfaces. "

HendrikD.
Level 1
Level 1

Any Update on this? Will there be a "ASA5506>S<-X"?

Or is the following slightly sarcastic personal interpretation final:

We listened to our dear customers and have decided to include the WLAN Access Point in the “W” Model, so that you do not have to send out 2 boxes to your VPN locations. But since we like to sell stuff at Cisco, you unfortunately have to buy a POE Switch (preferably Cisco!) to replace your fleet of 5505’s.

(You really should buy a Switch anyway, since we introduced the FirePower capabilities in a really quick & dirty way – the competition was eating away our market and our marketing/sales people needed something presentable - sorry techies - but we'll fix it in March 2016(?) with the FTD unified release).

And just as a note:
NO! – Neither creating one subnet per port nor using an etherchannel is a workaround for a SOHO enterprise Firewall. And when we talk Meraki, we are talking about changing the vendor, something a Cisco guy tries to avoid with the current offerings from other vendors.

FlorianCokl
Level 1
Level 1

I am not interested in complaining, nagging around - I do understand everyone who is missing the switching functionality - personally, I couldn't agree more that the missing switching functionality is a pain bla bla bla.

However, I am interested in solutions. I like to be part of a solution instead of participating in the problem.

Here's a solution that works - as long as you are willing to think into it. Get 1 cheapest unmanaged 4-port-GigabitSwitch -> you need it to connect the management-port with 1 from the other L3 ports and a host. Assuming you have 1 interface (Number 1) connected to the internet you have 7 (2-8) left to connect 7 hosts. If you need 2 interfaces (1 & 2) for WAN (backup-lines or any other name you prefer) there are 6 (3-8) left to connect 6 hosts.

Next

SubSubSubSubnetting

take the 192.168.1.0/24 network (why this one/way -> summarization) - or any other number that is your personal favorite and break it down into segments of 32 each, or any other number you like as long as you are able to derive at least 7 consecutive networks:

  • 192.168.1.0/27 255.255.255.224
  • 192.168.1.32/27 255.255.255.224
  • 192.168.1.64/27 255.255.255.224
  • 192.168.1.96/27 255.255.255.224
  • 192.168.1.128/27 255.255.255.224
  • 192.168.1.160/27 255.255.255.224
  • 192.168.1.192/27 255.255.255.224
  • 192.168.1.224/27 255.255.255.224

and apply them to the physical interfaces - give each interface a distinctive name i.e. inside-1/3, inside-1/4 and so forth.

OR - major numbers

  • 192.168.1.0/24
  • 192.168.2.0/24
  • 192.168.3.0/24
  • and so forth

and apply them to the physical interfaces - give each interface a distinctive name i.e. inside-1/3, inside-1/4 and so forth.

Next

connect ASA's mgmt-intf, gi1/8 (or any other you like), and the one host, to the cheap switch. Make sure to configure the firepower-address according to the network you've chosen for that physical interface.

Resumé

I know this is not "beautiful" - I KNOW IT - however, if you are in tight spot, this is a way to get out of it. IT WORKS - keep that in mind.

That is terrible.

Just bought 5506 to connect small sales point (1 pc, 1 prnt, 2 special devices) via site-to-site,

Spent 2 days to find out how to configure switchports.. for what? to find out that it is impossible?

Sad, that i have not found this article before i bought this stuff, it would be better to buy 5505.

Subnetting for such small office is the worst thing i could imagine.

Hope this issue will be fixed in the future.

Review Cisco Networking for a $25 gift card