cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3050
Views
3
Helpful
5
Replies

Access-list on Sub Interfaces in ASA

csaravanan
Level 1
Level 1

Hi All,

I have to create 8 different VLANS and have only 2 Interfaces left to play with.

So I am planning to subinterface the existing Gi Interface and assign each sub interface to the VLANS.

I am wondering how would I create access-list for each sub interface. Will the newly created sub-interface be visible on the ADSM under ALL interfaces

Please let me know

2 Accepted Solutions

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

Chandhrasekar,

I gave an example config including couple of links to someone few days ago on this, to answer your question configure the subinterfaces in CLI it is much easier, and yes you should be able to see the subinterfaces in ASDM. If you will be using diferent security levels on the subinterfaces the access-list NAT control will function the same way as you are used to with normal dedicated interfaces.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbf5ff2/0#selected_message

Rgds

Jorge

Jorge Rodriguez

View solution in original post

Chandru, as I said it before, it all depends what your requirements are between vlans, if you want to have full acl control bewteen vlans from a central point then I would recommend using ASA subinterfaces and use switch as a layer 2 device only .

I do not want to rule out the use of ACL on the layer 3 switch as it is also possible but it all depends on how confortable you are implemeting acls to control traffic bewteen vlans from the switch itself and not the firewall.

If you use the switch for your intervlan routing IP communication between vlans will be handle by the layer 3 switch and not the firewall, if your requirements is to have 8 vlans for example and control the traffic between them by means of ACLs have the firewall do the job, thus you will have a central point of access control lists implementation and easy administration of ACLs from the ASA firewall.

As for NAT go over this link carefully to understand the use of NO NAT or NAT control between interfaces or subinterfaces in ASA.

I think this link will gove you a very gopod global picture with some examples of NATing.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml#backinfo

Rgds

Jorge

Jorge Rodriguez

View solution in original post

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

Chandhrasekar,

I gave an example config including couple of links to someone few days ago on this, to answer your question configure the subinterfaces in CLI it is much easier, and yes you should be able to see the subinterfaces in ASDM. If you will be using diferent security levels on the subinterfaces the access-list NAT control will function the same way as you are used to with normal dedicated interfaces.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbf5ff2/0#selected_message

Rgds

Jorge

Jorge Rodriguez

Thank You Jorge. Your answer gave me quite a bit info on subinterfaces

I am having a Layer3 Switch connected to my ASA Gigabit interface. I am wondering where can I have routing for VLANs.

I prefer Layer 3 switch, but I believe it should only be in ASA as the router on stick module.

Please let me know, how to approach this

thanks,

Chandru

Chandru, it all depends how do you want to approache the design, in most cases folks that do not cound with multilayer switches the subinterfaces on the ASA will do the intervlan routing but will require more configuration on the firewall such as NO NAT control or NAT control etc.. so if you want to have all your internal subnets free of ACLS

use the multilayer switches. AS you also prefer, I would definatelly use the switches to do your intervlan routing , create your SVI on the switches and have the firewall do the security. You could implement OSPF on the ASA inside interface and have the multilayer switch be OSPF neighbor of ASA thus firewall will learn all internal VLANS from the switch as well as inject a default route from ASA OSPF . If no OSPF you could simply difine a default route on switch pointing to ASA inside interface and from ASA static default route to your ISP router. If in the event that you would need DZM subnets you could place a layer 2 switch and then use subinterfaces off the left over interface this way you could have DMZ segregated frm the private network.

Rgds

Jorge

Jorge Rodriguez

Jorge,

Thanks for your response. I will need to have Firewall ACLs between VLANs in my interanl Network. Please verify in that case, I should use only the Layer2 Switch functionality (Ofcouse, I have Layer 3, if we use SVI and enable routing then the intervlan communication will not be through the firewall ACLs right).

Also you were talking about routing in ASA requires extra configuration like NO NAT control and NAT Control. Could you point me to a documentation which explains how to perform this

Thanks,

Chandru

Chandru, as I said it before, it all depends what your requirements are between vlans, if you want to have full acl control bewteen vlans from a central point then I would recommend using ASA subinterfaces and use switch as a layer 2 device only .

I do not want to rule out the use of ACL on the layer 3 switch as it is also possible but it all depends on how confortable you are implemeting acls to control traffic bewteen vlans from the switch itself and not the firewall.

If you use the switch for your intervlan routing IP communication between vlans will be handle by the layer 3 switch and not the firewall, if your requirements is to have 8 vlans for example and control the traffic between them by means of ACLs have the firewall do the job, thus you will have a central point of access control lists implementation and easy administration of ACLs from the ASA firewall.

As for NAT go over this link carefully to understand the use of NO NAT or NAT control between interfaces or subinterfaces in ASA.

I think this link will gove you a very gopod global picture with some examples of NATing.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml#backinfo

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: