03-26-2008 01:57 PM - edited 03-11-2019 05:22 AM
Hi.. I really need help. I have an ASA 5540 and I need to configure its outside interface to communicate with two diferents routers with ip address: 200.184.x.x and 172.16.x.x. The ASA outside interface is plugged on a HUB and the routers too. The ASA outside IP is 200.184.x.x and i need make it to communicate with the another router 172.16.x.x. Please, how can i do that?
03-27-2008 02:31 AM
unless you create logical interface under your outside physical interface.
03-27-2008 02:35 AM
To create subinterfaces on an appliance, you can use the interface command followed by the interface name and the subinterface number, as shown in the following syntax:
interface physical_interface.subinterface
Here, physical_interface is the actual physical interface and subinterface is an integer between 1 and 4,294,967,295. Example 4-13 demonstrates how to create a subinterface 300 on GigabitEthernet0/0.
Example 4-13. Creating a Subinterface
Chicago# configure terminal
Chicago(config)# interface GigabitEthernet0/0.300
Once you have created a subinterface, the next step is to associate the interface with a unique VLAN identity. Assign a VLAN ID by using the vlan subinterface configuration command followed by the actual VLAN ID, which ranges between 1 and 4096. In Example 4-14, the administrator has linked GigabitEthernet0/0.300 to vlan 300. Although the subinterface number and the VLAN ID do not have to match, it is a good practice to use the same number for ease of management.
Example 4-14. Associating a VLAN ID to a Subinterface
Chicago# configure terminal
Chicago(config)# interface GigabitEthernet0/0.300
Chicago(config-if)# vlan 300
Caution
If the main physical interface is shut down, all the associated subinterfaces are disabled as well.
The subinterface is configured identically to a physical interface, using the nameif, security-level, and ip address commands. It does not, however, allow the use of speed and duplex commands, discussed in the previous section. Example 4-15 shows a subinterface GigabitEthernet0/0.300 configuration that is set up as a DMZ interface with the security level 30 and an IP address of 192.168.20.1/24 in VLAN 300.
Example 4-15. Configuring Subinterface Parameters
Chicago# configure terminal
Chicago(config)# interface GigabitEthernet0/0.300
Chicago(config-if)# vlan 300
Chicago(config-if)# nameif DMZ
Chicago(config-if)# security-level 30
Chicago(config-if)# ip address 192.168.20.1 255.255.255.0
Note
Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.
03-27-2008 04:43 AM
ok, but, i did it and i still cant ping the router interface 172.16x.x and the ASA doesn't show me any log error. I thinks its because im setting a VLAN ID to the subinterface. My interfaces configurations are:
interface GigabitEthernet0/1
nameif WAN
security-level 0
ip address 200.184.0.1 255.255.255.0
interface GigabitEthernet0/1.1
vlan 1
nameif CLIENT
security-level 0
ip addres 172.16.0.1 255.255.255.0
See the attachment too.
Please help me
Thanks
03-27-2008 07:38 AM
"The ASA outside interface is plugged on a HUB and the routers too. "
This will NOT work unless you connected the ASA
into a switch that is capable of doing
802.1Q. I guess whoever gave you this advice
did not read the thread carefully.
If you want this to work and you do NOT have
a switch, replace the ASA with either another
router or a Nokia appliance running checkpoint
and it will work. Router and Nokia appliance
have the ability to do secondary IP address.
CCIE Security
03-27-2008 07:47 AM
Ok. Now i have a 2950 switch between the ASA and the routers. The ASA is on the port 1, the router with IP 200.184.x.x on port 2 and the other router with ip 172.16.x.x on port 3.
The 2950 configuration is:
interface FastEthernet0/1
description *connected to ASA*
interface FastEthernet0/2
description INTERNET
interface FastEthernet0/3
description CLIENT
What should i do to work?
Thanks
03-27-2008 08:28 AM
interface GigabitEthernet0/1
switchport mode trunk
switch trunk native vlan 1
switch trunk allowed vlan all
speed 100
duplex full
interface F0/2
switch mode access
switch access vlan 1
speed auto
dup auto
no shut
spanning-tree portfast
interface F0/3
switch mode access
switch access vlan 2
speed auto
dup auto
no shut
spanning-tree portfast
Now setup your ASA device as you did before, the ASA should be able to communicate with the
routers.
CCIE Security
03-27-2008 10:21 AM
Should I do some configuration at Subinterface0/1.1?
03-27-2008 12:28 PM
you dont need to change anything on your subinterface. i dont think i took in to consideration you have are using hub. sorry my mistake. your physical interface on the ASA should be connected to your switch trunk interface Fa0/1 like you mentioned above and the interface router on Fa0/2.
Note
Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.
have tested it on a lab properly. The config below i used.
#Create a vlan 2
interface GigabitEthernet0/1
des ASA Int Gi0/0
switchport mode trunk
no shut
interface F0/2
Router
switch mode access
switch access vlan 2
spanning-tree portfast
My ASA 172.16.0.1 (Sub interface) can ping router 172.16.0.2.on Fa0/1 in vlan 2
03-27-2008 12:31 PM
The only thing i needed to do was create a VLAN 2 on 2950 e put the interface gig 0/1 in mode trunk and interface fa0/2 on vlan 2
Now, everything is working FINE
Thank you
03-27-2008 01:11 PM
happy to help.
Please use the rate section to rate the discussion.
Franco
03-27-2008 12:27 PM
HI CISCO24x7
Now, its working FINE. Many many thanks.
See ya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide