Solved: Multiple Subinterfaces on same context.

christopher.wood · ‎03-27-2015

Hi,

I'm having a difficult time finding examples where there is a multi-context ASA using multiple subinterfaces under the contexts. I'm running 5585-X SSP-10 in my network.
We have a license for 20 contexts, currently only using a quarter of those context. Issue is, the way they set this up was only one subinterface per context, and that's how they want to keep.
I'm already charged with adding three new vlans to our firewall for migrating some devices off our old network to our new one. Issue is if we keep doing that we're going to burn through all these contexts in no time.

I'm assuming you can have multiple vlans going to the same context with multiple subinterfaces. That being said, I would assume you can block the traffic from two vlans on the same context from each other.

Can anyone link me to some configuration examples for multiple subinterfaces, and an example of what the access rules on the same context might look like for two vlans with different subnets?

Thanks.

Marius Gunnerud · ‎03-28-2015

I feel you are overthinking this. If you have setup an ASA interface before then setting up subinterfaces in a context is not much different (other than having to allocate the interface to that given context) Then you configure the interface on the context as you would any other interface.

Your configuration would look like this:

changeto system

interface Gig0/0

no shut

int Gig0/0.1

vlan 10

ing Gig0/0.2

vlan 20

context A

allocate-interface Gig0/0.1 - Gig0/0.2

changeto context A

interface G0/0.1

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0

interface G0/0.2

security-level 0

nameif outside

access-list TEST-ACL permit ip 10.10.10.0 255.255.255.0 any

access-list TEST-ACL2 permit ip any host 10.10.10.10

access-group TEST-ACL in interface inside

access-group TEST-ACL2 in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎03-28-2015

I feel you are overthinking this. If you have setup an ASA interface before then setting up subinterfaces in a context is not much different (other than having to allocate the interface to that given context) Then you configure the interface on the context as you would any other interface.

Your configuration would look like this:

changeto system

interface Gig0/0

no shut

int Gig0/0.1

vlan 10

ing Gig0/0.2

vlan 20

context A

allocate-interface Gig0/0.1 - Gig0/0.2

changeto context A

interface G0/0.1

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0

interface G0/0.2

security-level 0

nameif outside

access-list TEST-ACL permit ip 10.10.10.0 255.255.255.0 any

access-list TEST-ACL2 permit ip any host 10.10.10.10

access-group TEST-ACL in interface inside

access-group TEST-ACL2 in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

christopher.wood · ‎03-30-2015

That's pretty much what I was looking for, but I can have several vlans on the the inside interface on the same context right? And then I can block traffic between those vlans with access rules on the same context?

Marius Gunnerud · ‎03-30-2015

That is correct for both questions.

__

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts