ASA 5520 Subinterface outside

zaffarsiddiq · ‎08-21-2019

I have bundled three ethernet ports of my ASA 5520 into a port channel. I have then created subinterfaces for internal VLANs. All that works fine no issues.

My ISP assigns me an IP address with DHCP. Currently, I have a physical ethernet port on the ASA set as the outside interface and it has been configured as a DHCP client. It gets an IP address from the ISP Again this work too. No issues.

What I would like is to add the outside physical outside interface port to the channel group of three so that I have four ports in that channel and then set up a subinterface for the outside internet.

I hope this makes sense and if it does will it work.

Karsten Iwen · ‎08-22-2019

Yes, it will work. But it would be a bad security practice and you should not do that. If you have your outside interface on the same ether-channel as the internal VLANs, then the internet has to be physically terminated on the internal switch. If you have a misconfiguration or a misfunction of the switch, then you have just bound your internal network directly into the internet.

BTW: Using a firewall that is not supported by the vendor any more is also a bad security practice.

zaffarsiddiq · ‎08-22-2019

Do you know what the config should be on the switch port as an example please?

Giuseppe Larosa · ‎08-22-2019

Hello Zaffar,

>> What I would like is to add the outside physical outside interface port to the channel group of three so that I have four ports in that channel and then set up a subinterface for the outside internet.

This would mean connecting the internet link to the internal switch with a potential of firewall bypass as noted by Kirsten.

You should stay with current setup so that traffic has to go through the ASA from the internet to the internal network.

Performance should not be your first priority here.

try to see if you can add to the bundle another interface that is not the outside.

Hope to help

Giuseppe

zaffarsiddiq · ‎08-23-2019

I am prepared to take the risk and get this set up for testing only. This is not a live environment production network. Could I be advised as to what configuration is required on the switch port to get this working anyhow, please?

Giuseppe Larosa · ‎08-23-2019

Hello Zaffar,

if it is a lab and you are aware of the risks.

You need to remove all the L3, nameif and security level command from the the outside interface.

Then you configure the physical interface exactly as the current three member links of the bundle.

Probably you need a switchport command before adding the other L2 commands.

Then you need to configure a Vlan based subinterface of the bundle with a new vlan-id and you will put all the L3, nameifm security-level command.

on the switch you need to create the new Vlan outside and you need also an access port to be in outside vlan and an interface to be used as 4th member of the bundle.

On the access port in Vlan outside you connect the ISP internet handoff.

You need also to add the new vlan outside in the list of permitted Vlans on the internal switch, if it is a L2 bundle on switch side.

Hope to help

Giuseppe