Re: Configure sub-interfaces in Cisco ASA 5520

yolande_n · ‎05-24-2012

Hi,

I have a cisco ASA 5520 that i'm configuring.

From the actual Firewall (with is a linux server), we have the outside interface eth0 with has a public IP and other sub-interfaces (eth0.1; eth0.2,...) with others publics IPs.

I'd like to know how I can configure it in an ASA

Thanks

rizwanr74 · ‎05-24-2012

Hi Yolande,

Here is one example below.

interface Ethernet0/0

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface Ethernet0/0.1

vlan 1

nameif management

security-level 100

ip address 10.10.10.1 255.255.255.252

!

I hope this answers your question.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

yolande_n · ‎05-24-2012

Hi rizwanr74,

in your configuration, you add vlan1. should I always put the vlan?

I have about 10 sub interfaces to configure with the ASA; i am wondering if i should create 10 vlans

thanks

rizwanr74 · ‎05-24-2012

"in your configuration, you add vlan1. should I always put the vlan?"

Yes, you must have a vlan number and ASA's port in the example it is "interface Ethernet0/0" will be connected a trunk port on to a switch.

With layer2 vlan number, your internal switch will know for which vlan it must forward to packet to.

"I have about 10 sub interfaces to configure with the ASA; i am wondering if i should create 10 vlans"

Natually you will have to create ten subinerfaces with layer2 vlan number.

Hope that answers your question.

thanks

Rizwan Rafeek

yolande_n · ‎05-24-2012

if i resume, i should just create a layer 2 vlan and then my 10 subinterfaces with be linked to the vlan number?

rizwanr74 · ‎05-24-2012

"if i resume, i should just create a layer 2 vlan and then my 10 subinterfaces with be linked to the vlan number?"

You do not create the layer2 vlan numbers sperately on the ASA, but rather you assing a subinterface itself to a layer2 vlan number (as shown below), by doing so your trunk port on your switch will know for switch layer2 vlan a given packet is coming on the trunk port.

!

interface Ethernet0/0.200

vlan 200

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.252

!

interface Ethernet0/1.300

vlan 300

nameif management

security-level 100

ip address 10.30.30.1 255.255.255.252

!

Hope this answers your question.

thanks

Rizwan Rafeek

Please rate helful post.

yolande_n · ‎05-25-2012

hi

thanks for your answer but my concern if that those vlan (200, 300 on your example) are there also in my lan? because on my lan, i have some Vlan which are not on my actual firewall.

rizwanr74 · ‎05-25-2012

You would want to create a vlan in the Firewall at first place, only if you have those vlan locally exists on your LAN or WAN for peering with given segments.

If you do create a vlan just only on your Firewall without that particular vlan exists on your LAN or WAN, where does the traffic from such vlan can communicate with for peering? Answers is nowhere.

I hope that answers your question or concern.

thanks

Rizwan Rafeek.

Please rate helful post.

robertkwilcox1 · ‎05-01-2018

no

Florin Barhala · ‎05-03-2018

Can you share the configuration of the switch port that is connected to the Linux eth0 interface?
I want to find out if you're using tagged traffic or you have just secondary IP addresses on your Linux interface (same vlan).

Thanks!