02-15-2018 08:17 AM - edited 02-21-2020 07:22 AM
Hi All,
Trying to carve out a DMZ zone on my 5506 without buying a switch (budget freeze). If I use bridge-group in the following configuration, does this effectively allow all of the devices I plug into the bridge-group assigned ports to be on the same subnet?
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif DMZ_1
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif DMZ_2
security-level 50
!
interface GigabitEthernet1/5
bridge-group 1
nameif DMZ_3
security-level 50
!
interface GigabitEthernet1/6
bridge-group 1
nameif DMZ_4
security-level 50
!
interface GigabitEthernet1/7
bridge-group 1
nameif DMZ_5
security-level 50
!
interface GigabitEthernet1/8
bridge-group 1
nameif DMZ_6
security-level 50
!
interface BVI1
nameif DMZ
security-level 50
ip address 192.168.99.1 255.255.255.0
02-15-2018 10:51 AM
Another method would be to use a VLAN interface as the gateway and just set any of the ports you want in the DMZ as access ports on that VLAN. It makes the config a little easier.
!
interface VLAN 99
nameif DMZ
security-level 50
ip address 192.168.99.1 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface range GigabitEthernet1/3-8
switchport access vlan 99
!
02-16-2018 05:07 AM
Hi Ben,
I believe you are referencing a 5505. When I try to create a vlan interface on the 5506, there is no option:
FW171Chennai-FLC5506# config t
FW171Chennai-FLC5506(config)# inter ?
configure mode commands/options:
GigabitEthernet GigabitEthernet IEEE 802.3z
Management Management interface
Port-channel Ethernet Channel of interfaces
Redundant Redundant Interface
vni VNI Interface
<cr>
08-14-2024 07:02 PM
ASA5506-x has no "switchport" command in interface configuration mode.
02-16-2018 05:28 AM
Ah yes, you are correct, no more VLAN interfaces on the 5506.
Your original bridge group config will accomplish the same thing. All ports in the bridge group will be on the same subnet.
08-14-2024 07:01 PM
ASA5506-x has no "switchport" command in interface configuration mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide