Showing results for 
Search instead for 
Did you mean: 
Pinesh Amin

Need help with ASA 5506-X configurations


I'm setting up a small network of the office.  This is my 2nd 5506-x.  first one was setup without much of a problem since I had L3 switch handling all the traffic.  This time i have a different setup with unmanaged switches for each vlan. 

The connectivity goes:

ISP gateway--> GE1/1 of 5506

GE1/2 of 5506--> Unmanaged switch for inside Data traffic

GE1/3 of 5506--> Unmanaged switch for inside Voice traffic

GE1/8 of 5506--> to Managed Access Point which supports VLANs

Configuration parameters: 

Management VLAN 5 (Subnet:

Data VLAN 10: (Subnet:

Voice VLAN 20: (Subnet:

Guest VLAN 30: (Subnet: for guest Wi-Fi (Only Access points; no physical connectivity required for this vlan).

DHCP and DNS will be handled by ASA for each VLAN.

I want to configure the GE1/2 as Data VLAN, GE1/2 as Voice VLAN and GE1/8 as trunk.

I tried many things and read many things without any luck.  I also found out that ASA 5506-x doesn't have switchport capabilities.  How can i make this work with the hardware i have?

Any help will be greatly appreciated.


Reza Sharifi
Hall of Fame Expert


As you already know, the new 5506x series firewalls don't support switching/trucking capabilities.

Since you are using a physical interface per vlan/subnet, you design should work. If you need to have multiple vlans on one of the physical interfaces, you may want to try using sub-interfaces.


Hi Reza,

Thanks for the quick response.  

If I use physical interface per vlan, yes, it will work.  so i configured the physical interfaces as follows:


interface GigabitEthernet1/1

 description ISP (ComCast) connection

 nameif outside

 security-level 0

 ip address dhcp setroute


interface GigabitEthernet1/2

 nameif Data

 security-level 100

 ip address


interface GigabitEthernet1/3

 nameif voice

 security-level 100

 ip address


dhcpd auto_config outside


dhcpd address Data

dhcpd dns interface Data

dhcpd enable Data


dhcpd address voice

dhcpd dns interface voice

dhcpd enable voice


object network obj_any

 nat (any,outside) dynamic interface


nat (Data,outside) after-auto source dynamic any interface (may not be needed)

nat (voice,outside) after-auto source dynamic any interface (may not be needed)


dns domain-lookup outside

dns server-group defaultdns

 name-server outside

 name-server outside

 domain-name drbh.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


Now, How can I configure the access point connected to physical interface G1/8 so that I can have access to all networks/VLANs (Data, Voice, Guest wifi) over WiFi. It doesn't let me configure the sub-interfaces with the same names as the names are already defined under physical interfaces (ge1/2 & ge1/3) and where can I add sub-interface for Guest VLAN?

I'm very confused about the multiple vlans and sub-interfaces.  Please advise.



I am not sure what type of APs and wireless controller you have, but I was thinking that you connect the APs and the controller to a switch and than connect the switch to the firewall. Now since you can't do vlan on the firewall, I was thinking you can maybe create 2 sub-interfaces,say g1/8 is where the switch is connected and you need 2 subnets (say for internal WiFi and guest WiFi. So, something like:

interface gigabitethernet1/8.50
vlan 50
interface gigabitethernet1/8.60
vlan 60
Please note; I have never done this, but trying to figure out a possible solution.
Here is the doc for ASA sub-interface config.
Also for reference:


only one AP so no controller is needed in this application.  Also, the switches i have are unmanaged and can't do Vlan tagging so the sub-interfaces wont work here.  I will play with this and if it still doesn't work, I will connect AP directly to Data switch and have only Data and guest network configured with L2 isolation on AP. 

Thank you very much.  

Still open for help from anyone on this.