06-03-2008 11:50 AM - edited 03-11-2019 05:54 AM
I have been searching CCO to find a config guide that shows how to setup an ASA running 7.2 or 8.x trunking to a L3 switch. Getting an 5510 and I need 7 interfaces, so I am two short. I will be getting the Security Plus so I can do failover.
Where is this config guide, does it exist? I see one for the 5505, but that isn't the 5510. thanks
06-03-2008 12:25 PM
Here you go, basic reference 802.1q and subinterfaces
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html
If you need fruther assistance let me know to help you with a basic script but it is very stright forward, creating your subinterfaces with appropriate sec levels if they are DMZs , there is not trunking specific command in ASA, once you create subinterfaces and physically connect the ASA interface to your switch trunk thats prety much it, create your trunk on the switch and allow the vlans you want.
You may use this thread as reference.
Bst Rgds
-Jorge
06-03-2008 12:51 PM
Ok, I have read that before. It looks like to me I can use both the physical ports as before and Trunking/VLAN features.
What I need is this.
1)Use the physical NameIf itnerfaces on ASA for inside/outside/dmz1/failover. I realize that that will require setting up the Mgt interface as a "real interface" and not mgt interface. There is a tech note on doing that
2)Use the 5th port on the ASA with VLAN/Trunking to support Dmz2/Extranet interfaces via the 6500 switch.
There is still no example as to what the finished ASA config looks like here on the cisco site.
Typically cisco will have a config guide with diagrams, device configs and traffic flows.
Is this some hidden feature that Cisco doesn't want users to know about so they will purchase the 4port GigE card for the ASA that costs more than the 5510 itself? :)
06-03-2008 04:42 PM
Doug,
for number 1) and 2)
For above requirements do each requires to have its own physical interface? if so then you are leting pass trunking feature asa 7.x and above provides you could accomplish inside/outside/dmz1 off one interface with trunking. Use the management interface if you get security plus license and make it a routed port and do your failover using that physical interface.
in above scenarion you will have used two physical ports and still have three physical ports left.
now if you need physical interfaces you could do one interface for inside one for outside
use mgt interface for failover,you still have two physical interfaces left,use one of these two for DMZ1/DMZ2 and/or any extranet interfaces needed using 802.1q.
Is this some hidden feature that Cisco doesn't want users to know about so they will purchase the 4port GigE card for the ASA that costs more than the 5510 itself? :)
no hidden features Im aware of, simply it comes down to using 802.1q trunking and subinterfaces, remember with sec plus you have up to 100 Virtual interfaces for the entire asa5510 unit and all be able to use nameif
Rgds
-Jorge
PLS rate any helpful post if it helped
06-03-2008 12:30 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: