Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
5
Replies

ASA 5520 Subinterface outside

zaffarsiddiq
Level 1
Level 1

‎08-21-2019 12:21 PM

I have bundled three ethernet ports of my ASA 5520 into a port channel. I have then created subinterfaces for internal VLANs. All that works fine no issues.

 

My ISP assigns me an IP address with DHCP. Currently, I have a physical ethernet port on the ASA set as the outside interface and it has been configured as a DHCP client. It gets an IP address from the ISP Again this work too. No issues.

 

What I would like is to add the outside physical outside interface port to the channel group of three so that I have four ports in that channel and then set up a subinterface for the outside internet.

 

I hope this makes sense and if it does will it work.

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎08-22-2019 12:20 AM

Yes, it will work. But it would be a bad security practice and you should not do that. If you have your outside interface on the same ether-channel as the internal VLANs, then the internet has to be physically terminated on the internal switch. If you have a misconfiguration or a misfunction of the switch, then you have just bound your internal network directly into the internet.

BTW: Using a firewall that is not supported by the vendor any more is also a bad security practice.

0 Helpful

zaffarsiddiq
Level 1
Level 1
In response to Karsten Iwen

‎08-22-2019 05:54 AM

Do you know what the config should be on the switch port as an example please?

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-22-2019 06:28 AM - edited ‎08-22-2019 06:29 AM

Hello Zaffar,

>> What I would like is to add the outside physical outside interface port to the channel group of three so that I have four ports in that channel and then set up a subinterface for the outside internet.

 

This would mean connecting the internet link to the internal switch with a potential of firewall bypass as noted by Kirsten.

 

You should stay with current setup so that traffic has to go through the ASA from the internet to the internal network.

 

Performance should not be your first priority here.

try to see if you can add to the bundle another interface that is not the outside.

 

Hope to help

Giuseppe

 

0 Helpful

zaffarsiddiq
Level 1
Level 1
In response to Giuseppe Larosa

‎08-23-2019 01:23 AM

I am prepared to take the risk and get this set up for testing only. This is not a live environment production network. Could I be advised as to what configuration is required on the switch port to get this working anyhow, please?

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to zaffarsiddiq

‎08-23-2019 01:38 AM - edited ‎08-23-2019 01:40 AM

Hello Zaffar,

if it is a lab and you are aware of the risks.

You need to remove all the L3, nameif and security level command from the the outside interface.

Then you configure the physical interface exactly as the current three member links of the bundle.

Probably you need a switchport command before adding the other L2 commands.

 

Then you need to configure a Vlan based subinterface of the bundle with a new vlan-id and you will put all the L3, nameifm security-level command.

 

 

on the switch you need to create the new Vlan outside and you need also an access port to be in outside vlan and an interface to be used as 4th member of the bundle.

On the access port in Vlan outside you connect the ISP internet handoff.

You need also to add the new vlan outside in the list of permitted Vlans on the internal switch, if it is a L2 bundle on switch side.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card