06-05-2012 04:21 PM - edited 03-11-2019 04:15 PM
Hi there,
I have a situation with a customer who has an ASA 5510. They have a fairly standard config with an Internal, DMZ and Outside interface, with rules on the Internal and Outside interfaces primarily. What they want to do is set up a guest wireless network.
What I want to do is split the Internal interface into 2 sub interfaces - one with the same settings as the current Internal interface and the other in a second VLAN for the guest wireless traffic. In order to do this though I have to remove the current config from the internal interface. The big question mark for me is what happens to all the firewall rules for the current Internal interface when I remove it? Do they all get deleted? do they revert to Global rules?, do they remain unchanged ready to be applied to whatever interface is named as Internal in the future? (That's what I'm hoping for)
One other thing, if I put the second sub interface for the wireless guest trafffic into VLAN 2 that is effectively enabling 802.1q right? Frames tagged for VLAN 2 will go to the second sub interface and native VLAN 1 will go to the Internal sub interface right?
Solved! Go to Solution.
06-05-2012 04:30 PM
Hi Scott,
Whenever you create sub-interfaces on a physical interface, the all the configuration done on the physical interface would be wiped out, which means nat, acls, routes etc woudl be deleted. So the best way is to save the configuration first, create your sub-interfaces and then re-apply the configuration that you previously had for the physical interface on the new sub-interface that you have created for it for the internal interface.
Now for the guest interface, you arre correct, frames tagged with vlan 2 would go only to vlan 2 and the for native vlan 1 would go to the internal interface.
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
06-05-2012 04:30 PM
Hi Scott,
Whenever you create sub-interfaces on a physical interface, the all the configuration done on the physical interface would be wiped out, which means nat, acls, routes etc woudl be deleted. So the best way is to save the configuration first, create your sub-interfaces and then re-apply the configuration that you previously had for the physical interface on the new sub-interface that you have created for it for the internal interface.
Now for the guest interface, you arre correct, frames tagged with vlan 2 would go only to vlan 2 and the for native vlan 1 would go to the internal interface.
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC
06-05-2012 05:15 PM
Hi Varun,
Thanks for the prompt reply - So that includes all the firewall rules as well? Nothing survives and I'd have to manually recreate everything after creating the sub-interface?
Damn that's the worst case scenario!
06-05-2012 05:41 PM
Not all access-rules on the ASA but only the one which were associated to that particular physical interface on which you would be creating the sub-interface. Rest all would be there intact.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide