cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1118
Views
10
Helpful
12
Replies

multinetting on asa

cfajardo1_2
Level 1
Level 1

does asa supports multinetting?

thnaks

12 Replies 12

Collin Clark
VIP Alumni
VIP Alumni

What's multinetting?

sorry for late reply..the CSS11500 supports firewall load balancing FWLB and in one of the mode, it seems like the firewall should support multinetting.(multiple ip address)

maratkinson
Level 1
Level 1

Multinetting?

Sounds like you might be talking about ...

- VLSM variable-length subnet masking

- Classless Inter-Domain Routing (CIDR)

- routing prefix aggregation (also known as "supernetting" or "route summarization")

http://en.wikipedia.org/wiki/VLSM

Geez Adam I hope you knew that off the top of your head :-)

Celso, I have never tried it, but I'm pretty sure you can not assign multiple IP's to a single interface.

Haha, google is my friend.

This is correct, however, the only way I see this possible looking Adam's link is if you were to used 802.1q and subinterfaces in ASA 7.x each sub with same security level.

Rgds

Jorge

Jorge Rodriguez

OK, but what about routing? How can you control which interface the traffic leaves on? Assuming you care about that.

What do you mean by routing? you can route between same security interfaces without issues, subinterfaces are routed interfaces are they not.. perhaps I don't understand you when you said " what about routing" ?

Rgds

Jorge

Jorge Rodriguez

check this link on page 107

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/c

ss11500series/v7.40/configuration/security/guide/Security.pdf

maratkinson
Level 1
Level 1

Ahh ... yes, use multiple VLAN's to segment up a single interface. We have several ASA 5520's running that configuration.

Sample of such: Notice that you can assign different Security levels.

interface GigabitEthernet0/2

speed 1000

duplex full

nameif SUB-DMZ

security-level 60

no ip address

!

interface GigabitEthernet0/2.2114

description Citrix

vlan 2114

nameif SUB_Citrix

security-level 75

ip address 172.17.122.x 255.255.255.x

!

interface GigabitEthernet0/2.2126

description Secure Email Sub DMZ

vlan 2126

nameif SUB_SEC_EMAIL

security-level 75

ip address 172.17.123.x 255.255.255.x

Marc, using your config and Adam's example link the scenario of multiple IPs per interface could be accomplished this way.

interface GigabitEthernet0/2

speed 1000

duplex full

nameif NET

security-level 75

no ip address

!

interface GigabitEthernet0/2.183

description Network 183.55.2.0

vlan 183

nameif NET183

security-level 75

ip address 183.55.2.77 255.255.255.0

!

interface GigabitEthernet0/2.204

description Network 204.238.7.0

vlan 204

nameif NET204

security-level 75

ip address 204.238.7.22 255.255.255.0

interface GigabitEthernet0/2.88

description Network 88.127.6.0

vlan 88

nameif NET88

security-level 75

ip address 88.127.6.209 255.255.255.0

use same-security-traffic permit inter-interface command to pass traffic between these nets without the use of ACLs.

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: