Solved: Re: Vlan Config on ASA 5505

mmoriarta · ‎02-06-2014

I know this is probably an easy question and please dont jump all over me. I have been messing with an asa 5505 applicance. I would assume you can change the vlans from vlan 1 inside and vlan 2 outside to whatever you want. If I am not able to do that just say so and no reading onward necessary.

If you can change the vlans then here is my problem.

I created a vlan 20 and associated with eth 0/3 on the ASA 5505 and configured as nameif inside.

I connected the port using a crossover cable to a 2950 switch. I connected a couple of pc's to the switch and used the IP address 172.16.1.0/24 network. I assigned an IP address to the eth0/3 of 172.16.1.1/24. I setup a DHCP server to hand out IP addresses.

My question is do I have to setup another vlan for my PC's in order to access the "interwebs?" Do I setup trunking the switch to the ASA 5505?

Thank you for your reply.

Jouni Forss · ‎02-06-2014

Hi,

Yes, you can remove the existing interface and use whatever Vlan ID you want from the mentioned range of 1-4090 for both "inside" or "outside" interfaces. Naturally your interface "nameif" can also be what you want They could be "LAN" and "WAN" for example

Since you are using Base License and wont be able to use Trunk interfaces the Vlan ID only really has local significance (since its not passed anywhere via Trunk) and acts more like an interface ID (like the 0/0 or 0/1 in the physical interfaces).

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Naturally if you have some more questions related to this then feel free to ask more

- Jouni

EDIT: Corrected a stupid typo

View solution in original post

Jouni Forss · ‎02-06-2014

Hi,

The default setup with ASA5505 uses only 2 Vlan IDs.

You should be able to use any Vlan ID between Vlan IDs 1-4090. For official confirmation this can be looked from the Command Reference for the command "interface Vlan".

Both of those Vlans are typically assigned to the physical ports as Access Mode ports.

Typically you have one Vlan ID for "outside" and attach this Vlan to only single Access Mode port to which you attach your ISPs device/ethernet cable. Other Vlan ID is used for "inside" and is usually assigned to the rest of the physical ports as Access Mode port.

With Base License ASA5505 you are able to configure a third Vlan interface which is restricted.

If you have Security Plus License then you will be able to configure 20 Vlan interface max and also get support for Trunking (not available in Base License)

So you only need 1 Vlan ID for the single LAN network and 1 Vlan ID for the WAN connection.

Hope this helps

Please do ask more if needed

- Jouni

mmoriarta · ‎02-06-2014

Jouni,

Thanks for the response. If I am reading your reply correctly, (I have a base License) then I can just remove vlan 1 and rename it vlan 20 and put the correct parameters correct? Or is that not a good practice?

Thanks

Jouni Forss · ‎02-06-2014

Hi,

Yes, you can remove the existing interface and use whatever Vlan ID you want from the mentioned range of 1-4090 for both "inside" or "outside" interfaces. Naturally your interface "nameif" can also be what you want They could be "LAN" and "WAN" for example

Since you are using Base License and wont be able to use Trunk interfaces the Vlan ID only really has local significance (since its not passed anywhere via Trunk) and acts more like an interface ID (like the 0/0 or 0/1 in the physical interfaces).

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Naturally if you have some more questions related to this then feel free to ask more

- Jouni

EDIT: Corrected a stupid typo

mmoriarta · ‎02-06-2014

Thank you Jouni. I appreciate the help. And thank you for a great explanation.