01-07-2013 04:49 AM - edited 03-11-2019 05:44 PM
Hello,
I need advice if my configuration will work or not. Currently have a interface on ASA configured with:
interface GigabitEthernet0/1
description INSIDE
speed 1000
duplex full
mac-address xxxx.xxxx.xxxx
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.0 standby 192.168.x.x
If I change this to a subinterface will this work?interface GigabitEthernet0/1
description 802.1q Trunking Interface for test networks
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.x
description INSIDE
speed 1000
duplex full
mac-address xxxx.xxxx.xxxx
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.0 standby 192.168.x.x
This config should be copied to standby ASA? both are in a ACTIVE/STANDBY failover
Thanks
Solved! Go to Solution.
01-08-2013 02:59 AM
Hi,
If you want to recover the configuration I would suggest perhaps either rebooting the device (if you havent already saved the configuration that lacks all configurations related to the "nameif")
Or you could check the original startup configuration and gather all the lost configurations from there and "drop" them back to the firewall.
When you remove the "nameif" configuration it removes all configurations related to it from the firewall. Theres no real way of transfering the "nameif" to another interface. Just have to copy/paste the configurations back after the interface -> subinterface change.
You've probably lost all the NAT rules. Also the "access-group" command has dissapeared but the ACL itself meant for the interface should still be on the ASA. There might be other configurations that also dissapeared. Other most common might be telnet/ssh/http management configurations etc.
- Jouni
01-07-2013 04:59 AM
Hi,
When configuring the ASA for Trunking, the Physical interface should have no real configurations. You could give it a good description that says that its a Trunk (as you have written later in the post) and configure the speed/duplex if needed.
Using some made up names a Trunk might look something like this
interface GigabitEthernet0/0
description LAN Trunk
no nameif
no security-level
no ip add
speed 1000
duplex full
interface GigabitEthernet0/0.100
vlan 100
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2
interface GigabitEthernet0/0.200
vlan 200
nameif dmz
security-level 50
ip add 192.168.10.1 255.255.255.0 standby 192.168.10.2
To sum it up
If you have Failover configured between 2 ASA firewalls and its working correctly you should be able to do all configurations on the Active ASA and they will replicated to the Standby ASA
Please rate if the information was helpfull and/or ask more if needed
- Jouni
01-08-2013 02:51 AM
Hi,
I made the changes and the sub interface was fine. But, moving the physical interface to sub-interface the ASA deleted all my rules bound to that interface? and lost the NAT rules?
Currently running 8.4(4)
01-08-2013 02:59 AM
Hi,
If you want to recover the configuration I would suggest perhaps either rebooting the device (if you havent already saved the configuration that lacks all configurations related to the "nameif")
Or you could check the original startup configuration and gather all the lost configurations from there and "drop" them back to the firewall.
When you remove the "nameif" configuration it removes all configurations related to it from the firewall. Theres no real way of transfering the "nameif" to another interface. Just have to copy/paste the configurations back after the interface -> subinterface change.
You've probably lost all the NAT rules. Also the "access-group" command has dissapeared but the ACL itself meant for the interface should still be on the ASA. There might be other configurations that also dissapeared. Other most common might be telnet/ssh/http management configurations etc.
- Jouni
01-08-2013 01:29 AM
In addition to Jouni's instructions,
If you want to use vlan1 ( default vlan ) for some network this is how you should do this.
interface GigabitEthernet0/0
description LAN Trunk with vlan 1
nameif someInterface
security-level 100
ip add 172.16.1.1 255.255.255.0 standby 172.16.1.2
speed 1000
duplex full
!
interface GigabitEthernet0/0.100
vlan 100
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2
Never do this..
!
interface GigabitEthernet0/0
description LAN Trunk
no nameif
no security-level
no ip add
speed 1000
duplex full
!
interface GigabitEthernet0/0.1
vlan 1
nameif someInterface
security-level 100
ip add 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
interface GigabitEthernet0/0.100
vlan 100
nameif inside
security-level 100
ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
I know it seems correct but it will never work..
With this config.. The traffic on the VLAN 1 will not work and not be seen by the ASA. I have done this mistake in the past and wasted hours troubleshooting
If you want to use vlan1, configure it on the physical interface it self..
Please rate this post if helpful..
Thanks
Shamal
01-20-2015 05:58 PM
That is because when you use subinterface you trunk the switch. Vlan 1 is the native and by configuring the physical interface that causes the asa to pass untagged traffic. Never use Vlan 1 and always change native Vlan on uplinks.
01-20-2015 07:30 PM
The physical interface needs to match the native Vlan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide