VLans in CISCO ASA

Unanswered Question
Jul 23rd, 2008

i have a cisco ASA 5520 Sw ver 8.0, the problem is i am unable to create VLANS in it. My search on google says

Directly

(config)#Int Vlan 10

.....

But under the (Config)# int ?

i see only ethernet and management, there is no vlans.

neither am i able to use the switchport command on the ASA interfaces.

Please suggest a solution

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
victor_87 Wed, 07/23/2008 - 09:37

hostname(config)# interface vlan 100

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 200

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.2.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 201

hostname(config-if)# nameif dept1

hostname(config-if)# security-level 90

hostname(config-if)# ip address 10.2.2.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config)# interface ethernet 0/0

hostname(config-if)# switchport access vlan 100

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/1

hostname(config-if)# switchport access vlan 200

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/2

hostname(config-if)# switchport access vlan 300

hostname(config-if)# no shutdown

i have copied the above commands from Cisco ASA 8/0 command ref guide, i don't see any sub interfaces configured.

steavg Wed, 07/23/2008 - 10:45

Hi,

Step 1 To specify the new subinterface, enter the following command:

hostname(config)# interface physical_interface.subinterface

The subinterface ID is an integer between 1 and 4294967293.

For example, enter the following command:

hostname(config)# interface gigabitethernet0/1.100

Step 2 To specify the VLAN for the subinterface, enter the following command:

hostname(config-subif)# vlan vlan_id

The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.

You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID.

Step 3 To enable the subinterface, enter the following command:

hostname(config-subif)# no shutdown

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

Hope this helps,

Cheers

stefan

JORGE RODRIGUEZ Wed, 07/23/2008 - 11:59

Victor,

It is very possible that script you copied is meant for a ASA5505 model, the 5505 has an integrated L2 switch, your model 5520 does not have integrated switch.

Again, you need to configure trunking, the way it works is through subinterfaces for your L3 logical configuration , in orther words spliting a physical port into many logical interfaces, that port will then connect to a L2 switch where your VLANS will be configured with respect to the logical in the firewall..

If you need a more specific script let me know.

Rgds

Jorge

victor_87 Wed, 07/23/2008 - 20:04

Ok straight away i'll come to the point, i have two L3 switches configured for HSRP, Now i need to connect these two switches to the firewall, So the firewall inside, and the two L3 switches must have to be in the same subnet.

Please suggest a solution for this scenario, i do not want to use another switch in between the firewall and the l3 switches.

JORGE RODRIGUEZ Thu, 07/24/2008 - 08:10

Victor,

We need to know what your requirements are in terms of networks and what type of networks they will be, you have couple of L3 switches and you are providing L3 failover through HSRP but for the switches only, you would need a second firewall in order to achive failover on the firewalls throuhg active/standby scenario, you will have only one phisical connection per firewall port to a particular switch, if switch1 fails where fw connects , you still have hsrp to work at the switches for failover but not the firewall, you would have to move the fw physical connection to SW2,... but I suppose what you could do this for firewall connection switch failover, I have not done it this way nor I would, maybe someone could comment on this one, say use another fw physical interface with same sec level one connection from FW to SW1 and one Connection to SW2 but this becomes very messy ASA and HSRP I don't believe is possible in the scenario we are all familiar in IOS, hsrp pass through sure but not the way like in IOS, I don't know perhaps a litlle more thinking if time is feasable, and test it.

Going back to the begining , will these switches be your inside paremeter, I would first schetch down in writing or diagram how may inside networks you required, since you have L3 switchs I would recommend to have them perform inter-vlan routing, for networks that required to be isolated as DMZs or Public access networks I would have them in separate L2 switches.

Rgds

Jorge

Actions

This Discussion