cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
612
Views
10
Helpful
11
Replies

Two IPs on Interface ASA

Tauer Drumond
Level 1
Level 1

Hi.. I really need help. I have an ASA 5540 and I need to configure its outside interface to communicate with two diferents routers with ip address: 200.184.x.x and 172.16.x.x. The ASA outside interface is plugged on a HUB and the routers too. The ASA outside IP is 200.184.x.x and i need make it to communicate with the another router 172.16.x.x. Please, how can i do that?

11 Replies 11

francisco_1
Level 7
Level 7

unless you create logical interface under your outside physical interface.

To create subinterfaces on an appliance, you can use the interface command followed by the interface name and the subinterface number, as shown in the following syntax:

interface physical_interface.subinterface

Here, physical_interface is the actual physical interface and subinterface is an integer between 1 and 4,294,967,295. Example 4-13 demonstrates how to create a subinterface 300 on GigabitEthernet0/0.

Example 4-13. Creating a Subinterface

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0.300

Once you have created a subinterface, the next step is to associate the interface with a unique VLAN identity. Assign a VLAN ID by using the vlan subinterface configuration command followed by the actual VLAN ID, which ranges between 1 and 4096. In Example 4-14, the administrator has linked GigabitEthernet0/0.300 to vlan 300. Although the subinterface number and the VLAN ID do not have to match, it is a good practice to use the same number for ease of management.

Example 4-14. Associating a VLAN ID to a Subinterface

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0.300

Chicago(config-if)# vlan 300

Caution

If the main physical interface is shut down, all the associated subinterfaces are disabled as well.

The subinterface is configured identically to a physical interface, using the nameif, security-level, and ip address commands. It does not, however, allow the use of speed and duplex commands, discussed in the previous section. Example 4-15 shows a subinterface GigabitEthernet0/0.300 configuration that is set up as a DMZ interface with the security level 30 and an IP address of 192.168.20.1/24 in VLAN 300.

Example 4-15. Configuring Subinterface Parameters

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0.300

Chicago(config-if)# vlan 300

Chicago(config-if)# nameif DMZ

Chicago(config-if)# security-level 30

Chicago(config-if)# ip address 192.168.20.1 255.255.255.0

Note

Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.

ok, but, i did it and i still cant ping the router interface 172.16x.x and the ASA doesn't show me any log error. I thinks its because im setting a VLAN ID to the subinterface. My interfaces configurations are:

interface GigabitEthernet0/1

nameif WAN

security-level 0

ip address 200.184.0.1 255.255.255.0

interface GigabitEthernet0/1.1

vlan 1

nameif CLIENT

security-level 0

ip addres 172.16.0.1 255.255.255.0

See the attachment too.

Please help me

Thanks

"The ASA outside interface is plugged on a HUB and the routers too. "

This will NOT work unless you connected the ASA

into a switch that is capable of doing

802.1Q. I guess whoever gave you this advice

did not read the thread carefully.

If you want this to work and you do NOT have

a switch, replace the ASA with either another

router or a Nokia appliance running checkpoint

and it will work. Router and Nokia appliance

have the ability to do secondary IP address.

CCIE Security

Ok. Now i have a 2950 switch between the ASA and the routers. The ASA is on the port 1, the router with IP 200.184.x.x on port 2 and the other router with ip 172.16.x.x on port 3.

The 2950 configuration is:

interface FastEthernet0/1

description *connected to ASA*

interface FastEthernet0/2

description INTERNET

interface FastEthernet0/3

description CLIENT

What should i do to work?

Thanks

interface GigabitEthernet0/1

switchport mode trunk

switch trunk native vlan 1

switch trunk allowed vlan all

speed 100

duplex full

interface F0/2

switch mode access

switch access vlan 1

speed auto

dup auto

no shut

spanning-tree portfast

interface F0/3

switch mode access

switch access vlan 2

speed auto

dup auto

no shut

spanning-tree portfast

Now setup your ASA device as you did before, the ASA should be able to communicate with the

routers.

CCIE Security

Should I do some configuration at Subinterface0/1.1?

you dont need to change anything on your subinterface. i dont think i took in to consideration you have are using hub. sorry my mistake. your physical interface on the ASA should be connected to your switch trunk interface Fa0/1 like you mentioned above and the interface router on Fa0/2.

Note

Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.

have tested it on a lab properly. The config below i used.

#Create a vlan 2

interface GigabitEthernet0/1

des ASA Int Gi0/0

switchport mode trunk

no shut

interface F0/2

Router

switch mode access

switch access vlan 2

spanning-tree portfast

My ASA 172.16.0.1 (Sub interface) can ping router 172.16.0.2.on Fa0/1 in vlan 2

The only thing i needed to do was create a VLAN 2 on 2950 e put the interface gig 0/1 in mode trunk and interface fa0/2 on vlan 2

Now, everything is working FINE

Thank you

happy to help.

Please use the rate section to rate the discussion.

Franco

HI CISCO24x7

Now, its working FINE. Many many thanks.

See ya

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: