cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25001
Views
20
Helpful
6
Replies

ASA sub interface

JDMJeffy84
Level 1
Level 1

Hello,

I need advice if my configuration will work or not. Currently have a interface on ASA configured with:

interface GigabitEthernet0/1

description INSIDE
speed 1000

duplex full

mac-address xxxx.xxxx.xxxx

nameif inside

security-level 100

ip address 192.168.x.x 255.255.255.0 standby 192.168.x.x

If I change this to a subinterface will this work?

interface GigabitEthernet0/1
description 802.1q Trunking Interface for test networks

no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.x
description INSIDE
speed 1000
duplex full
mac-address xxxx.xxxx.xxxx

nameif inside
security-level 100

ip address 192.168.x.x 255.255.255.0 standby 192.168.x.x

This config should be copied to standby ASA? both are in a ACTIVE/STANDBY failover

Thanks

1 Accepted Solution

Accepted Solutions

Hi,

If you want to recover the configuration I would suggest perhaps either rebooting the device (if you havent already saved the configuration that lacks all configurations related to the "nameif")

Or you could check the original startup configuration and gather all the lost configurations from there and "drop" them back to the firewall.

When you remove the "nameif" configuration it removes all configurations related to it from the firewall. Theres no real way of transfering the "nameif" to another interface. Just have to copy/paste the configurations back after the interface -> subinterface change.

You've probably lost all the NAT rules. Also the "access-group" command has dissapeared but the ACL itself meant for the interface should still be on the ASA. There might be other configurations that also dissapeared. Other most common might be telnet/ssh/http management configurations etc.

- Jouni

View solution in original post

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

When configuring the ASA for Trunking, the Physical interface should have no real configurations. You could give it a good description that says that its a Trunk (as you have written later in the post) and configure the speed/duplex if needed.

Using some made up names a Trunk might look something like this

interface GigabitEthernet0/0

description LAN Trunk

no nameif

no security-level

no ip add

speed 1000

duplex full

interface GigabitEthernet0/0.100

vlan 100

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

interface GigabitEthernet0/0.200

vlan 200

nameif dmz

security-level 50

ip add 192.168.10.1 255.255.255.0 standby 192.168.10.2

To sum it up

  • Main Physical interface usually has no real configurations other than Speed/Duplex/description
  • Subinterfaces are good to name with the Vlan ID they are going to have under them (Gi0/0.100 = Vlan ID 100)

If you have Failover configured between 2 ASA firewalls and its working correctly you should be able to do all configurations on the Active ASA and they will replicated to the Standby ASA

Please rate if the information was helpfull and/or ask more if needed

- Jouni

Hi,

I made the changes and the sub interface was fine. But, moving the physical interface to sub-interface the ASA deleted all my rules bound to that interface? and lost the NAT rules?

Currently running 8.4(4)

Hi,

If you want to recover the configuration I would suggest perhaps either rebooting the device (if you havent already saved the configuration that lacks all configurations related to the "nameif")

Or you could check the original startup configuration and gather all the lost configurations from there and "drop" them back to the firewall.

When you remove the "nameif" configuration it removes all configurations related to it from the firewall. Theres no real way of transfering the "nameif" to another interface. Just have to copy/paste the configurations back after the interface -> subinterface change.

You've probably lost all the NAT rules. Also the "access-group" command has dissapeared but the ACL itself meant for the interface should still be on the ASA. There might be other configurations that also dissapeared. Other most common might be telnet/ssh/http management configurations etc.

- Jouni

shamax_1983
Level 3
Level 3

In addition to Jouni's instructions,

If you want to use vlan1 ( default vlan ) for some network this is how you should do this.

interface GigabitEthernet0/0

description LAN Trunk with vlan 1

nameif someInterface

security-level 100

ip add 172.16.1.1 255.255.255.0 standby 172.16.1.2

speed 1000

duplex full

!

interface GigabitEthernet0/0.100

vlan 100

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

Never do this..

!

interface GigabitEthernet0/0

description LAN Trunk

no nameif

no security-level

no ip add

speed 1000

duplex full

!

interface GigabitEthernet0/0.1

vlan 1

nameif someInterface

security-level 100

ip add 172.16.1.1 255.255.255.0 standby 172.16.1.2

!

interface GigabitEthernet0/0.100

vlan 100

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

!

I know it seems correct but it will never work..

With this config..  The traffic on the VLAN 1 will not work and not be seen by the ASA. I have done this mistake in the past and wasted hours troubleshooting

If you want to use vlan1, configure it on the physical interface it self..

Please rate this post if helpful..

Thanks

Shamal

That is because when you use subinterface you trunk the switch. Vlan 1 is the native and by configuring the physical interface that causes the asa to pass untagged traffic. Never use Vlan 1 and always change native Vlan on uplinks.  

The physical interface needs to match the native Vlan. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: