Re: ASA 5505 to 5506 VLAN Help

ketansoni1 · ‎09-27-2017

ASA 5505 interface Ethernet0/0 ( THIS IS MY OUTSIDE INTERFACE) switchport access vlan 2 interface Vlan2 nameif outside security-level 0 ip address 209.X.X.X 255.255.255.248 interface Vlan1 nameif inside security-level 100 ip address 192.168.15.1 255.255.255.0 interface Ethernet0/1 ( INSIDE INTERFACE, NO SWITCHPORT ACCESS VLAN 100 MENTIONED) How do I configure the Cisco ASA 5506 Vlans, The only option is to use sub interfaces. Would someone be able to advise, how to configure the interfaces? Any suggestions, would be greatly appreciated interface GigabitEthernet1/3 nameif Outside security-level 0 no ip address ! interface GigabitEthernet1/3.2 vlan 2 no nameif security-level 0 ip address 209.156.159.114 255.255.255.248 interface GigabitEthernet1/2 (Inside) nameif inside security-level 100 ip address 192.168.15.101 255.255.255.0

Reza Sharifi · ‎09-27-2017

In the newer model of ASA (5506x) Cisco has eliminated vlans. You can use sub-interfaces or if that is not an option for you, you connect the end devices to a switch and than connect the switch to the firewall.

HTH

ketansoni1 · ‎09-27-2017

Thanks for the prompt reply. Would my config I posted with the sub interfaces work?

Thanks

Julio E. Moisa · ‎09-27-2017

Hi

Yes, your configuration will work fine, it is known as sub-interface vlan. Check the license to get the amount of interface vlans you want. Cisco 5506X is the evolution of 5505.

It works like Router in a Stick scheme.

The config should be like:

interface GigabitEthernet1/1.2
vlan 2
nameif INSIDE
security-level 0
ip address 209.156.159.114 255.255.255.248
no shutdown

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.pdf

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Reza Sharifi · ‎09-27-2017

Hi,

Yes, the sub-interfacec config will work as long as you are only connecting one device to that interface, meaning all the end devices connect to some sort of switch or hub and than that device connects to the firewall. If you are actually using a switch or hub you don't even need a sub-interface. A regular layer-3 interface will work fine but it is best practice to use a sub-interface.

HTH

ketansoni1 · ‎09-28-2017

Thank you for this.

I have configured this as below:

interface GigabitEthernet1/2
no nameif
no security-level
no ip address

interface GigabitEthernet1/2.1
vlan 1
nameif INSIDE
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3.2
vlan 2
nameif OUTSIDE
security-level 0
ip address 209.x.x.x 255.255.255.248

See attached, the box where it says laptop should read switch

Julio E. Moisa · ‎09-28-2017

Hi

That is correct, it will work, but remember if you are using sub-interfaces, you should have a trunk on the switche connected to the Firewall, and the same on the OUTSIDE interface, the provider should have a Trunk or a router using sub interfaces as well.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<