cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2170
Views
3
Helpful
7
Replies

VLans in CISCO ASA

victor_87
Level 1
Level 1

i have a cisco ASA 5520 Sw ver 8.0, the problem is i am unable to create VLANS in it. My search on google says

Directly

(config)#Int Vlan 10

.....

But under the (Config)# int ?

i see only ethernet and management, there is no vlans.

neither am i able to use the switchport command on the ASA interfaces.

Please suggest a solution

7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

You have to configure 802.1q subinterfaces and then your L2 vlans on a switch.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1044006

Jorge Rodriguez

hostname(config)# interface vlan 100

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 200

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.2.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 201

hostname(config-if)# nameif dept1

hostname(config-if)# security-level 90

hostname(config-if)# ip address 10.2.2.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config)# interface ethernet 0/0

hostname(config-if)# switchport access vlan 100

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/1

hostname(config-if)# switchport access vlan 200

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/2

hostname(config-if)# switchport access vlan 300

hostname(config-if)# no shutdown

i have copied the above commands from Cisco ASA 8/0 command ref guide, i don't see any sub interfaces configured.

Hi,

Step 1 To specify the new subinterface, enter the following command:

hostname(config)# interface physical_interface.subinterface

The subinterface ID is an integer between 1 and 4294967293.

For example, enter the following command:

hostname(config)# interface gigabitethernet0/1.100

Step 2 To specify the VLAN for the subinterface, enter the following command:

hostname(config-subif)# vlan vlan_id

The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.

You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID.

Step 3 To enable the subinterface, enter the following command:

hostname(config-subif)# no shutdown

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

Hope this helps,

Cheers

stefan

Victor,

It is very possible that script you copied is meant for a ASA5505 model, the 5505 has an integrated L2 switch, your model 5520 does not have integrated switch.

Again, you need to configure trunking, the way it works is through subinterfaces for your L3 logical configuration , in orther words spliting a physical port into many logical interfaces, that port will then connect to a L2 switch where your VLANS will be configured with respect to the logical in the firewall..

If you need a more specific script let me know.

Rgds

Jorge

Jorge Rodriguez

Ok straight away i'll come to the point, i have two L3 switches configured for HSRP, Now i need to connect these two switches to the firewall, So the firewall inside, and the two L3 switches must have to be in the same subnet.

Please suggest a solution for this scenario, i do not want to use another switch in between the firewall and the l3 switches.

Victor,

We need to know what your requirements are in terms of networks and what type of networks they will be, you have couple of L3 switches and you are providing L3 failover through HSRP but for the switches only, you would need a second firewall in order to achive failover on the firewalls throuhg active/standby scenario, you will have only one phisical connection per firewall port to a particular switch, if switch1 fails where fw connects , you still have hsrp to work at the switches for failover but not the firewall, you would have to move the fw physical connection to SW2,... but I suppose what you could do this for firewall connection switch failover, I have not done it this way nor I would, maybe someone could comment on this one, say use another fw physical interface with same sec level one connection from FW to SW1 and one Connection to SW2 but this becomes very messy ASA and HSRP I don't believe is possible in the scenario we are all familiar in IOS, hsrp pass through sure but not the way like in IOS, I don't know perhaps a litlle more thinking if time is feasable, and test it.

Going back to the begining , will these switches be your inside paremeter, I would first schetch down in writing or diagram how may inside networks you required, since you have L3 switchs I would recommend to have them perform inter-vlan routing, for networks that required to be isolated as DMZs or Public access networks I would have them in separate L2 switches.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: