11-15-2012 12:24 PM - edited 03-07-2019 10:04 AM
I had asked this in a separate "answered" and now closed discussion, but didn't get an answer. Am hoping to get one now.
ASA5510 firewall
interface eth0/0 is now named "inside" and has an IP addresss of 192.168.1.254.
I now have to modify this interface to a VLAN friendly design.
My question is, if I move/make the interface name "inside" to a sub interface (eth0/0.1) under the same interface (eth0/0, in addition, also removing name and IP from eth0/0) will all my configurations in the firewall config be deleted or will it remain in place if I name the new VLAN "inside" just like it was on interface eth0/0?
I'm guessing I have to work on reconfiguring all instances where interface eth0/0 is now entered (aaa-servers, NATs, etc.) Any advice on manually working on show run entries to modify all occurrences of interface would be most appreciated.
Show run details below
--------**OLD Config**----------
interface Ethernet0/0
no nameif
security-level 100
ip address 192.168.1.254 255.255.255.0
--------**NEW Config**----------
interface Ethernet0/0.1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.0
interface Ethernet0/0.x
nameif IT
etc....
11-21-2012 07:19 AM
Hi Peter,
I'm not sure i must see all conf..but any configuration wich are reference "inside" interface will pass to the new int. eth0/0.0 (ex.firewall rules).
11-21-2012 10:25 AM
Thanks for the response Christos. In the end, I hired a CCIE to take care of the transition, and from the looks of it, he left the eth0/0 interface with the inside name, left the ip address assigned to that same port (including assigning sec.level 100), and just created an eth0/0.1 sub-int, assigned it to vlan 1, no nameif, same sec. level, no ip address.
The other vlans were just continued on down the sub-ints (thus, eth0/0.2, etc.).
Strange, but it works. There were also some other mods (inter and intraface communications permitted), and NAT rules.
After adding some routes on the servers, it seems that everything works fine.
Thanks for your help! If someone wants to see a show run config, I'd be happy to paste a sanitized version up.
11-21-2012 11:17 AM
That is really a weird way he did it I have never seen it like this. I actually have it setup currently on my firewall too and it is something like this:
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
vlan 150
nameif DMZ
security-level 25
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface GigabitEthernet0/2.2
vlan 13
nameif DMZ2
security-level 30
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
11-21-2012 02:14 PM
The physical port will still pass tagged and untagged packets, and that comes from Cisco's own manual, but it is non-standard. I'm sure he had his reasons.
As I say, we had to add routes on servers that were in the native VLAN so they could reply back to the hosts in the VLANs (DHCP and DNS). I'm wondering if the routes would have even been required if all the IP's had been on Sub-ints? Wouldn't Inter-VLAN routing via Statics have ensured this?
The CCIE was very good at what he does, and was able to make this work. As long as there is no security issue with this config, I guess we'll just roll with it.
Here are the full, santized, relevant commands:
++++++++++++++++++++++++++
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.1
vlan 1
no nameif
security-level 100
no ip address
!
interface Ethernet0/0.20
vlan 20
nameif BUNNY1
security-level 85
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/0.25
vlan 25
nameif BUNNY2
security-level 90
ip address 192.168.25.1 255.255.255.0
!
interface Ethernet0/0.99
vlan 99
nameif BUNNY3
security-level 100
ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
security-level 50
no ip address
!
interface Ethernet0/2
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/3
description Outside IP
nameif outside
security-level 0
ip address Outside 255.255.255.0
access-list BUNNY3-NONAT extended permit ip 192.168.99.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY1-NONAT extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY2-NONAT extended permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY1-IN extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY1-IN extended permit ip 192.168.20.0 255.255.255.0 any
access-list BUNNY2-IN extended permit ip 192.168.25.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list BUNNY2-IN extended permit ip 192.168.25.0 255.255.255.0 any
nat (inside) 1 192.168.1.0 255.255.255.0
nat (BUNNY3) 0 access-list BUNNY3-NONAT
nat (BUNNY3) 1 192.168.99.0 255.255.255.0
nat (BUNNY1) 0 access-list BUNNY1-NONAT
nat (BUNNY1) 1 192.168.20.0 255.255.255.0
nat (BUNNY2) 0 access-list BUNNY2-NONAT
nat (BUNNY2) 1 192.168.25.0 255.255.255.0
static (inside,BUNNY3) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,BUNNY1) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,BUNNY2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group BUNNY1-IN in interface BUNNY1
access-group BUNNY2-IN in interface BUNNY2
11-22-2012 12:57 AM
Hi Peter,
Could you please send us, also the port configuration of the switch?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide