Solved: Re: Moving "inside" interface to subinterface

marcosgeorgopoulos · ‎05-24-2010

Hi All,

I have setup some subinterfaces(VLANs) on my firewalls LAN physical interface and now I wish to move my "inside" interface from the phyical interface to its own VLAN so that my LAN physical interface is no longer accepting untagged traffic.

My firewall is connected to a 2960 switch.

I am managing these switches at the moment remotely at the moment and I do not want to loose management to the firewalls or the switch during this change.

I have opened up external ssh access to the firewall as a temporary measure from an IP.

I tried moving the inside interface configuration to a subinterface as VLAN 1 as my switch configuration has the current management IP in VLAN 1.

But then I lose connectivity to the switches ( cannot ping from the firewall).

For example.

Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is XXXXXX

Internet address is 192.168.1.98/24

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/2, Gi0/17, Gi0/18, Gi0/19, Gi0/20, Gi0/21, Gi0/22
10   VLAN0010                         active
11   VLAN0011                         active

Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/1 1-4094

I probably want to change my native VLAN to something else but until I'm on site I don't want to do this and lose access.

Any advice is greatly appreciated.

Jon Marshall · ‎05-26-2010

marcosgeorgopoulos wrote:

Hi,

Thank you for your reply.

Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.

I know how to configure the subinterface etc.... but when I move it to a sub interface i.e

from e0/2 to e0/2.1 and assigned vlan 1,

I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).

Marcos

If the native vlan of the switch is vlan 1 then the switch will not expect to see vlan 1 tagged coming from the firewall subinterface. So you need to change the native vlan on the switch.

Jon

View solution in original post

Federico Coto Fajardo · ‎05-24-2010

Marcos,

Currently the inside interface of the ASA has an IP on VLAN 1 (192.168.1.x/24)?
That IP is assigned to the physical interface and you want to move that configuration to a subinterface, but keep the same IP (same VLAN)?

Federico.

marcosgeorgopoulos · ‎05-26-2010

Hi,

Thank you for your reply.

Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.

I know how to configure the subinterface etc.... but when I move it to a sub interface i.e

from e0/2 to e0/2.1 and assigned vlan 1,

I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).

Jon Marshall · ‎05-26-2010

marcosgeorgopoulos wrote:

Hi,

Thank you for your reply.

Yes I want to move my "inside" 192.168.1.1 network from the physical interface to a subinterface so that I can tag it in a VLAN.

I know how to configure the subinterface etc.... but when I move it to a sub interface i.e

from e0/2 to e0/2.1 and assigned vlan 1,

I can no longer ping my switche which have a management ip of 192.168.1.98 ( the native VLAN on the switch is 1).

Marcos

If the native vlan of the switch is vlan 1 then the switch will not expect to see vlan 1 tagged coming from the firewall subinterface. So you need to change the native vlan on the switch.

Jon

marcosgeorgopoulos · ‎06-02-2010

Thanks John.