cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1863
Views
0
Helpful
4
Replies

Need help with ASA 5506-X configurations

Pinesh Amin
Level 1
Level 1

Hello,

I'm setting up a small network of the office.  This is my 2nd 5506-x.  first one was setup without much of a problem since I had L3 switch handling all the traffic.  This time i have a different setup with unmanaged switches for each vlan. 

The connectivity goes:

ISP gateway--> GE1/1 of 5506

GE1/2 of 5506--> Unmanaged switch for inside Data traffic

GE1/3 of 5506--> Unmanaged switch for inside Voice traffic

GE1/8 of 5506--> to Managed Access Point which supports VLANs

Configuration parameters: 

Management VLAN 5 (Subnet: 192.168.5.254/24)

Data VLAN 10: (Subnet: 10.10.10.254/24)

Voice VLAN 20: (Subnet: 10.10.20.254/24)

Guest VLAN 30: (Subnet: 10.10.30.254/24) for guest Wi-Fi (Only Access points; no physical connectivity required for this vlan).

DHCP and DNS will be handled by ASA for each VLAN.

I want to configure the GE1/2 as Data VLAN, GE1/2 as Voice VLAN and GE1/8 as trunk.

I tried many things and read many things without any luck.  I also found out that ASA 5506-x doesn't have switchport capabilities.  How can i make this work with the hardware i have?

Any help will be greatly appreciated.

Thanks

4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

As you already know, the new 5506x series firewalls don't support switching/trucking capabilities.

Since you are using a physical interface per vlan/subnet, you design should work. If you need to have multiple vlans on one of the physical interfaces, you may want to try using sub-interfaces.

HTH

Hi Reza,

Thanks for the quick response.  

If I use physical interface per vlan, yes, it will work.  so i configured the physical interfaces as follows:

!

interface GigabitEthernet1/1

 description ISP (ComCast) connection

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface GigabitEthernet1/2

 nameif Data

 security-level 100

 ip address 10.10.10.254 255.255.255.0

!

interface GigabitEthernet1/3

 nameif voice

 security-level 100

 ip address 10.10.20.254 255.255.255.0

!

dhcpd auto_config outside

!

dhcpd address 10.10.10.26-10.10.10.200 Data

dhcpd dns 75.75.75.75 8.8.8.8 interface Data

dhcpd enable Data

!

dhcpd address 10.10.20.26-10.10.20.200 voice

dhcpd dns 75.75.75.75 8.8.8.8 interface voice

dhcpd enable voice

!

object network obj_any

 nat (any,outside) dynamic interface

!

nat (Data,outside) after-auto source dynamic any interface (may not be needed)

nat (voice,outside) after-auto source dynamic any interface (may not be needed)

!

dns domain-lookup outside

dns server-group defaultdns

 name-server 75.75.75.75 outside

 name-server 8.8.8.8 outside

 domain-name drbh.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

Now, How can I configure the access point connected to physical interface G1/8 so that I can have access to all networks/VLANs (Data, Voice, Guest wifi) over WiFi. It doesn't let me configure the sub-interfaces with the same names as the names are already defined under physical interfaces (ge1/2 & ge1/3) and where can I add sub-interface for Guest VLAN?

I'm very confused about the multiple vlans and sub-interfaces.  Please advise.

Thanks

Hi,

I am not sure what type of APs and wireless controller you have, but I was thinking that you connect the APs and the controller to a switch and than connect the switch to the firewall. Now since you can't do vlan on the firewall, I was thinking you can maybe create 2 sub-interfaces,say g1/8 is where the switch is connected and you need 2 subnets (say 10.10.50.0/24 for internal WiFi and 10.10.60.0/24 guest WiFi. So, something like:

interface gigabitethernet1/8.50
ip 10.10.50.1/24
vlan 50
and
interface gigabitethernet1/8.60
ip 10.10.60.1/24
vlan 60
Please note; I have never done this, but trying to figure out a possible solution.
Here is the doc for ASA sub-interface config.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/interface-vlan.pdf
Also for reference:
https://supportforums.cisco.com/discussion/12456891/asa-5506-x-switchports
HTH

Hi,

only one AP so no controller is needed in this application.  Also, the switches i have are unmanaged and can't do Vlan tagging so the sub-interfaces wont work here.  I will play with this and if it still doesn't work, I will connect AP directly to Data switch and have only Data and guest network configured with L2 isolation on AP. 

Thank you very much.  

Still open for help from anyone on this.

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: