Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3020
Views
75
Helpful
31
Replies

IP Address assignment on LAN Interface ASDM /CLI

amh4y0001
Level 3
Level 3

‎03-28-2022 11:13 AM

Hi,

Have Cisco Firepower 1200 /ASDM and inside Ethernet 2 (inside) has 192.168.1.x IP address by default for the management purposes.
Question:
a) Is this port (Ethernet 2) and remaining other ports (Ethernet 3 - Ethernet belongs to same vLAN?
b) Can I leave Ethernet 2 (inside) as it is with it's default IP addressing scheme, or there is some other best practices?Firepower, Cisco Adaptive Security Appliance (ASA), Other Network Security Topics
c) How I can use Ethernet ports (3 - as LAN ports, same vLAN (but different from what Ethernet 2 belongs to) and IP address assignment etc.?

Thanks!

0 Helpful
31 Replies 31

Rob Ingram
VIP
VIP

‎03-28-2022 11:26 AM - edited ‎03-28-2022 11:31 AM

@amh4y0001 as default the ASA interfaces are unconfigured. Generally you assign the inside interface of the ASA with a dedicated /30 or /29 routed link to the connected core switch. You then define static routes on the ASA for the local networks.

 

So you could continue to use eth2, just define static routes via the core switch for the connected vlans.

amh4y0001
Level 3
Level 3

‎03-28-2022 11:46 AM

It's OK for me to leave Eth2 as it is and continue to use eth3 -eth8 as LAN configuration. 
Can't I have /8 /16 or /24 network? 
How to achieve it using GUI and CLI, suggested guide?

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-28-2022 11:49 AM - edited ‎03-28-2022 11:52 AM

@amh4y0001 the ASA is a firewall, not a switch. I wouldn't use such a large network. Use a dedicated vlan between the ASA and the switch, just to route the traffic. Use multiple vlans on the switch, let the switch do the intervlan routing, with a default route via the ASA.

amh4y0001
Level 3
Level 3

‎03-28-2022 12:19 PM

@Rob Ingram thanks for reply. Agree, that a L2 switch should exist for best practice. 

Have mix scenarios, one of them requires only 2 LAN ports at the same time number of devices should not increase i.e. no L2 switch should be added, rather have to use 2 LAN ports from the ASA ... is it possible?
 

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-28-2022 12:35 PM

@amh4y0001 ok understand you may not have a switch. Perhaps you could use a BVI, this was supported on the older ASA 5506 hardware, not sure if it works on your firepower 1120 hardware though. Here is an example.

 

Alternatively you could just define 2 routed interfaces on the ASA.

amh4y0001
Level 3
Level 3

‎03-28-2022 01:00 PM

@Rob Ingram Do you recommend any guide or example how to define 2 routed interfaces on the ASA?
As I think in my situation it looks promising (so far at least).

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-28-2022 01:05 PM

@amh4y0001 they are just normal interfaces, here is an example:-

 

interface gigabitethernet 0/3 nameif INSIDE_1 ip address 192.168.11.1 255.255.255.0 no shut security-level 100interface gigabitethernet 0/4
 nameif INSIDE_2
 ip address 192.168.12.1 255.255.255.0
 no shut
 security-level 100
!
object network INSIDE-1 subnet 192.168.11.0 255.255.255.0 nat (inside_1,outside) dynamic interfaceobject network INSIDE-2
 subnet 192.168.12.0 255.255.255.0
 nat (inside_2,outside) dynamic interface

Just plug in the endpoints to the interfaces, assign an IP address in the correct network range.

amh4y0001
Level 3
Level 3
In response to Rob Ingram

‎03-28-2022 01:14 PM

@Rob Ingram I think that would be sufficient for my current task, thanks again for prompt reply and suggestions.

0 Helpful

amh4y0001
Level 3
Level 3
In response to Rob Ingram

‎03-29-2022 05:46 AM - edited ‎03-29-2022 05:50 AM

@Rob Ingram In FP1200 ASA, is it NOT possible to have two ports in the same network (without having L2 switch).

In the above configuration, I am able to configure the interfaces as per your suggestion but:

1. Internet is not available when I connect end-point to Ethernet 3 and Eth 4.

2. I cannot ping from 192.168.11.x network to 192.168.12.x network (this is why I asked if it's possible to have two interface belonging to same network ...).

Note: Ethernet1 is connected to WAN and have assigned static IP address with security level 100, see screenshot, if that could explain why Internet is not available on LAN.

 

 

Any thoughts would be appreciated.

Preview file
18 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-29-2022 05:51 AM

@amh4y0001 well ideally you'd use a switch but you can configure the command same-security-traffic permit inter-interface. This command allows traffic to enter an interface of certain security level and then exit from another interface of the same security level. Therefore ensure both interfaces are configured with the same security level.

 

You'd have to provide your nat configuration to determine why you cannot access the internet.

amh4y0001
Level 3
Level 3
In response to Rob Ingram

‎03-29-2022 05:56 AM - edited ‎03-29-2022 05:58 AM

@Rob Ingram 
Thanks, I have not configured NAT configuration other than you provided as below:

nat (inside_2,outside) 
dynamic interface

 

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-29-2022 05:58 AM

@amh4y0001 please provide the output of "show nat detail" and "show run interfaces"

 

amh4y0001
Level 3
Level 3

‎03-29-2022 06:07 AM

@Rob Ingram , thanks

ciscoasa# show nat detail

Auto NAT Policies (Section 2)
1 (Site-A_LAN-P3) to (outside) source dynamic Site-A_LAN-P3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.11.0/24, Translated: X.Y.Z.40/28

2 (Site-A_LAN-P4) to (outside) source dynamic Site-A_LAN-P4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.12.0/24, Translated: X.Y.Z.40/28

3 (any) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: X.Y.Z.40/28

 

-------------------------------

ciscoasa# sh run interface
!
interface Ethernet1/1
nameif outside
security-level 100
ip address X.Y.Z.40 255.255.255.240
!
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/3
nameif Site-A_LAN-P3
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet1/4
nameif Site-A_LAN-P4
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 100
ip address dhcp setroute

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-29-2022 06:11 AM

@amh4y0001 you've got zero hits on all the of that nat rules, how are you testing?

 

Run packet-tracer from the CLI and provide the output for review. Example:

 

packet-tracer input Site-A_LAN-P3 tcp 192.168.11.10 3000 8.8.8.8 80

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card