ASA subinterfacing question

Unanswered Question
Sep 23rd, 2007
User Badges:

I am attempting to migrate from 515's to 5520's. Due to the ASA having fewer eth interfaces than the PIX, I am trying to bring two DMZ's (both on 2950 switches)in to a switch (also a 2950, which I'll call the "bridge") on separate VLAN's, then bring them into the ASA through subinterfaces.

The problem I have is that the bridge 2950 can see the DMZ 2950's, and can see the physical interfaces on the ASA, but the real traffic is not passing from the bridge 2950 to the ASA.

If I understand correctly, the 2950 cannot do multiple VLAN's with assigned addresses, but it should be able to handle them as currently configured, which is with an address assigned only to vlan1.

I have the switchports set up as trunks, with the appropriate VLAN's assigned. I don't see an available command on the ASA's interface for encapsulation, and based on research, I'm assuming it defaults to dot1q.

So right now I'm not sure if this is a VLAN configuration issue, hardware limitation issue, encapsulation issue or something else entirely.

I've been looking at this a while, and may be missing something simple. Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
IGBarrere Mon, 09/24/2007 - 11:58
User Badges:

Yes, the asa only supports dot1q trunking... Make sure you have a dot1q trunk running between the asa and the 2950. At that point, you can enter subinterface config mode on the asa (conf term->int eth0/1.19, for example), make sure you bind a vlan to the subinterface (type the command "vlan 19" to stick with the last example), give it a name (nameif vlan19), assign an ip address and it should work. Make sure the parent interface (if it's eth0/1.19, the parent would be eth0/1) is up (no shut).

msanford3755 Mon, 09/24/2007 - 18:54
User Badges:

Thanks for the response.

The 2950 can only do dot1q trunking, so that should match.

Here's the config for the parent and sub interfaces, w/ modified names and ip addresses:

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

interface GigabitEthernet0/3.1

vlan 101

nameif dmz_1

security-level 25

ip address x.x.x.x

interface GigabitEthernet0/3.2

vlan 100

nameif dmz_2

security-level 10

ip address x.x.x.x

So I think it is configured as you specified. Any other thoughts?


This Discussion