cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
464
Views
0
Helpful
2
Replies

ASA subinterfacing question

msanford3755
Level 1
Level 1

I am attempting to migrate from 515's to 5520's. Due to the ASA having fewer eth interfaces than the PIX, I am trying to bring two DMZ's (both on 2950 switches)in to a switch (also a 2950, which I'll call the "bridge") on separate VLAN's, then bring them into the ASA through subinterfaces.

The problem I have is that the bridge 2950 can see the DMZ 2950's, and can see the physical interfaces on the ASA, but the real traffic is not passing from the bridge 2950 to the ASA.

If I understand correctly, the 2950 cannot do multiple VLAN's with assigned addresses, but it should be able to handle them as currently configured, which is with an address assigned only to vlan1.

I have the switchports set up as trunks, with the appropriate VLAN's assigned. I don't see an available command on the ASA's interface for encapsulation, and based on research, I'm assuming it defaults to dot1q.

So right now I'm not sure if this is a VLAN configuration issue, hardware limitation issue, encapsulation issue or something else entirely.

I've been looking at this a while, and may be missing something simple. Any help would be appreciated.

2 Replies 2

IGBarrere
Level 1
Level 1

Yes, the asa only supports dot1q trunking... Make sure you have a dot1q trunk running between the asa and the 2950. At that point, you can enter subinterface config mode on the asa (conf term->int eth0/1.19, for example), make sure you bind a vlan to the subinterface (type the command "vlan 19" to stick with the last example), give it a name (nameif vlan19), assign an ip address and it should work. Make sure the parent interface (if it's eth0/1.19, the parent would be eth0/1) is up (no shut).

Thanks for the response.

The 2950 can only do dot1q trunking, so that should match.

Here's the config for the parent and sub interfaces, w/ modified names and ip addresses:

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

interface GigabitEthernet0/3.1

vlan 101

nameif dmz_1

security-level 25

ip address x.x.x.x 255.255.0.0

interface GigabitEthernet0/3.2

vlan 100

nameif dmz_2

security-level 10

ip address x.x.x.x 255.255.0.0

So I think it is configured as you specified. Any other thoughts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: