cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
920
Views
0
Helpful
3
Replies

Question on ASA firewall rules

s.wightman
Level 1
Level 1

Hi there,

I have a situation with a customer who has an ASA 5510. They have a fairly standard config with an Internal, DMZ and Outside interface, with rules on the Internal and Outside interfaces primarily. What they want to do is set up a guest wireless network.

What I want to do is split the Internal interface into 2 sub interfaces - one with the same settings as the current Internal interface and the other in a second VLAN for the guest wireless traffic. In order to do this though I have to remove the current config from the internal interface. The big question mark for me is what happens to all the firewall rules for the current Internal interface when I remove it? Do they all get deleted? do they revert to Global rules?, do they remain unchanged ready to be applied to whatever interface is named as Internal in the future? (That's what I'm hoping for)

One other thing, if I put the second sub interface for the wireless guest trafffic into VLAN 2 that is effectively enabling 802.1q right? Frames tagged for VLAN 2 will go to the second sub interface and native VLAN 1 will go to the Internal sub interface right?

1 Accepted Solution

Accepted Solutions

varrao
Level 10
Level 10

Hi Scott,

Whenever you create sub-interfaces on a physical interface, the all the configuration done on the physical interface would be wiped out, which means nat, acls, routes etc woudl be deleted. So the best way is to save the configuration first, create your sub-interfaces and then re-apply the configuration that you previously had for the physical interface on the new sub-interface that you have created for it for the internal interface.

Now for the guest interface, you arre correct, frames tagged with vlan 2 would go only to vlan 2 and the for native vlan 1 would go to the internal interface.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

3 Replies 3

varrao
Level 10
Level 10

Hi Scott,

Whenever you create sub-interfaces on a physical interface, the all the configuration done on the physical interface would be wiped out, which means nat, acls, routes etc woudl be deleted. So the best way is to save the configuration first, create your sub-interfaces and then re-apply the configuration that you previously had for the physical interface on the new sub-interface that you have created for it for the internal interface.

Now for the guest interface, you arre correct, frames tagged with vlan 2 would go only to vlan 2 and the for native vlan 1 would go to the internal interface.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun,

Thanks for the prompt reply - So that includes all the firewall rules as well? Nothing survives and I'd have to manually recreate everything after creating the sub-interface?

Damn that's the worst case scenario!

Not all access-rules on the ASA but only the one which were associated to that particular physical interface on which you would be creating the sub-interface. Rest all would be there intact.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: