12-10-2007 11:54 PM - edited 02-21-2020 01:49 AM
does asa supports multinetting?
thnaks
12-11-2007 10:13 AM
What's multinetting?
12-18-2007 06:44 AM
sorry for late reply..the CSS11500 supports firewall load balancing FWLB and in one of the mode, it seems like the firewall should support multinetting.(multiple ip address)
12-11-2007 01:12 PM
Multinetting?
Sounds like you might be talking about ...
- VLSM variable-length subnet masking
- Classless Inter-Domain Routing (CIDR)
- routing prefix aggregation (also known as "supernetting" or "route summarization")
12-11-2007 01:15 PM
He's probably talking about...
http://www.syngress.com/book_catalog/69_ipad/69_ipad_ce_01.htm#_Toc471028305
12-11-2007 01:18 PM
Geez Adam I hope you knew that off the top of your head :-)
Celso, I have never tried it, but I'm pretty sure you can not assign multiple IP's to a single interface.
12-11-2007 01:25 PM
Haha, google is my friend.
12-11-2007 01:31 PM
This is correct, however, the only way I see this possible looking Adam's link is if you were to used 802.1q and subinterfaces in ASA 7.x each sub with same security level.
Rgds
Jorge
12-11-2007 01:46 PM
OK, but what about routing? How can you control which interface the traffic leaves on? Assuming you care about that.
12-11-2007 02:22 PM
What do you mean by routing? you can route between same security interfaces without issues, subinterfaces are routed interfaces are they not.. perhaps I don't understand you when you said " what about routing" ?
Rgds
Jorge
12-18-2007 06:56 AM
check this link on page 107
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/c
ss11500series/v7.40/configuration/security/guide/Security.pdf
12-11-2007 01:42 PM
Ahh ... yes, use multiple VLAN's to segment up a single interface. We have several ASA 5520's running that configuration.
Sample of such: Notice that you can assign different Security levels.
interface GigabitEthernet0/2
speed 1000
duplex full
nameif SUB-DMZ
security-level 60
no ip address
!
interface GigabitEthernet0/2.2114
description Citrix
vlan 2114
nameif SUB_Citrix
security-level 75
ip address 172.17.122.x 255.255.255.x
!
interface GigabitEthernet0/2.2126
description Secure Email Sub DMZ
vlan 2126
nameif SUB_SEC_EMAIL
security-level 75
ip address 172.17.123.x 255.255.255.x
12-11-2007 02:13 PM
Marc, using your config and Adam's example link the scenario of multiple IPs per interface could be accomplished this way.
interface GigabitEthernet0/2
speed 1000
duplex full
nameif NET
security-level 75
no ip address
!
interface GigabitEthernet0/2.183
description Network 183.55.2.0
vlan 183
nameif NET183
security-level 75
ip address 183.55.2.77 255.255.255.0
!
interface GigabitEthernet0/2.204
description Network 204.238.7.0
vlan 204
nameif NET204
security-level 75
ip address 204.238.7.22 255.255.255.0
interface GigabitEthernet0/2.88
description Network 88.127.6.0
vlan 88
nameif NET88
security-level 75
ip address 88.127.6.209 255.255.255.0
use same-security-traffic permit inter-interface command to pass traffic between these nets without the use of ACLs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide