ASA 5505 basics

Unanswered Question

I have 3 LAN segments going out via a 3560 L3 switch.

I know my way with L3 switches and try to understand how my new ASA should be configured: does it support the same VLANs as my network and only require a tunnel from ASA to one (or more) L3 device? does it capable of SPT (or RSPT as I use it in my network)?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Wed, 07/16/2008 - 08:50

Hi,

ASA is not capable of Spanning Tree, nor should it, since it does not forward broadcasts packets.

The ASA interface will be configured as trunk, while for each VLAN you will configure subinterfaces. Assign one VLAN ID per interface.

The IP of the ASA on each subinterface will be the default gateway for the devices on that subnet.

interface GigabitEthernet0/1

description "Trunk Connectivity with SW"

speed 100

duplex full

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.100

vlan 100

nameif VLAN100

security-level 80

ip address xxxxxxx

!

interface GigabitEthernet0/1.200

vlan 200

nameif VLAN200

security-level 70

ip address xxxxxxx

!

interface GigabitEthernet0/1.300

vlan 300

nameif VLAN300

security-level 60

ip address xxxxxxx

By default no routing is done between VLANs.

An example with VLANs and remote access VPNs:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

BTW, ASA does not have Native VLAN support. So if you need VLAN 1 for some reason, you need to create a subinterface for it.

Please rate if this helped.

Regards,

Daniel

while configuring I changed the admin 192.168.1.1 address to 192.168.10.4 (that is showing under VLAN 1)

then I've configured 3 additional VLANS for each of my LAN networks - VLANs 10, 11, 12

for VLAN 11 & 12 I could configure an IP address using 192.168.10\11.x

VLAN 10 won't let me configure an IP since it is already configured on VLAN1

does it mean I have to remove the management IP and switch it back to 192.168.1.1? if so, how will I access it via LAN?

I did see few posts that said 5505 do not support sub-if, is it possible?

ASA# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(3)

Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders

System image file is "disk0:/asa723-k8.bin"

Config file at boot was "startup-config"

OGASA up 1 day 16 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0 : address is 0021.55d8.e84d, irq 11

1: Ext: Ethernet0/0 : address is 0021.55d8.e845, irq 255

2: Ext: Ethernet0/1 : address is 0021.55d8.e846, irq 255

3: Ext: Ethernet0/2 : address is 0021.55d8.e847, irq 255

4: Ext: Ethernet0/3 : address is 0021.55d8.e848, irq 255

5: Ext: Ethernet0/4 : address is 0021.55d8.e849, irq 255

6: Ext: Ethernet0/5 : address is 0021.55d8.e84a, irq 255

7: Ext: Ethernet0/6 : address is 0021.55d8.e84b, irq 255

8: Ext: Ethernet0/7 : address is 0021.55d8.e84c, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 20, DMZ Unrestricted

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 25

WebVPN Peers : 2

Dual ISPs : Enabled

VLAN Trunk Ports : 8

This platform has an ASA 5505 Security Plus license.

Serial Number: JMX1221Z07S

Running Activation Key: 0xce06625a 0xa8d68c50 0x8c1055b0 0x9030f02c 0x8308b7a9

Configuration register is 0x1

Configuration last modified by enable_15 at 10:58:54.944 EDT Wed Jul 16 2008

Actions

This Discussion