that would be a sub-interface, which isn't the same as VRF.

Vicente,

I was trying to figure this out as well, and VRF doesn't seem to be supported on my asa5585 running 9.2 and ADSM7.4

Way to revive a 7-year old thread!

The 5580 (and all ASA models) only has a single routing table (aka RIB or Routing Information Base). It does not support Virtual Routing and Forwarding (VRF) instances.

The latest ASA 9.4 software (for the X series only - not the 5580) did just introduce policy-based routing. Still not anywhere near the same as VRFs but it may help some folks who need some routing flexibility.

Thanks for the quick response Marvin.  I didn't see anything in the device documentation, but want to make sure I wasn't missing something.  Time to think about updating to 9.4!

Just to add that there is always the option of contexts.

To be fair Andrew's original answer isn't that bad. You are right that a subinterface is not a VRF obviously but I have seen designs where the VRFs are terminated on separate interfaces or subinterfaces on the firewall and because a firewall by definition is a security device you can then control inter VRF communication statefully.

In fact in a lot of cases it is easier to do this than to have to mess around with route leaking between VRFs on a L3 device.

No criticism intended, just thought I'd mention it.

Jon

Good point Jon.

You're right of course - using interfaces or subinterfaces on an ASA to manage communications between distinct VRFs on adjacent devices may even be in one of the CVDs. I have seen it done that way in more than one large data center design.

Personally I dislike contexts unless they're needed for multi-tenancy. But that's just my early bad experiences with them. :)