cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1128
Views
11
Helpful
6
Replies

asa virtual lan

suthomas1
Level 6
Level 6

i have an asa to which a switch will be attached. this switch wil have multiple end user ports but all on same vlan, so i have to create vlan on asa port which will attach to the layer2 switch.

how do i create this vlan scene. is subinterface the only possible way.

thank you for help.

1 Accepted Solution

Accepted Solutions

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT

View solution in original post

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

Since ASA will be the L3 hop, you would need to create ASA physical interface in the same VLAN as the users VLAN. Just connect the ASA inside interface to the switch port and assign the switch port the same VLAN as the user VLAN. All users and ASA inside interface will then be in the same VLAN and subnet, and ASA will be the default gateway for your users.

would normal vlan command work on asa for this or there is other way to do this.

it will be great help if commands used for this scene is shown for me .

thank you.

The ASA needs sub-interfaces for the clan command).

But as already suggested if you put 10 users and the ASA interfaces on the same vlans on the switch then the ASA will see all the user traffic. So having all ports of the users and the ASA's inside are access ports for vlan x on the switch then it will work.

I hope it is clear.

PK

thanks, so will it be as below:

int gigabitethernet 0/1.1

  nameif temporary

  vlan 75

security-level 75

ip address 192.168.0.1 255.255.255.0

and all user ports will be on this vlan . correction is welcome, if this is not correct.

No.

What you showed there is only if you need this ASA port to be a trunk that passes many vlans.

If you only want one vlan on this interface you just make the port that this interface connects to on the switch a an access port that belongs to that vlans on the switch.

I hope it is clear now.

PK

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT

Review Cisco Networking for a $25 gift card