07-23-2008 09:06 AM - edited 03-11-2019 06:18 AM
i have a cisco ASA 5520 Sw ver 8.0, the problem is i am unable to create VLANS in it. My search on google says
Directly
(config)#Int Vlan 10
.....
But under the (Config)# int ?
i see only ethernet and management, there is no vlans.
neither am i able to use the switchport command on the ASA interfaces.
Please suggest a solution
07-23-2008 09:16 AM
You have to configure 802.1q subinterfaces and then your L2 vlans on a switch.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1044006
07-23-2008 09:37 AM
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept1
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
i have copied the above commands from Cisco ASA 8/0 command ref guide, i don't see any sub interfaces configured.
07-23-2008 10:45 AM
Hi,
Step 1 To specify the new subinterface, enter the following command:
hostname(config)# interface physical_interface.subinterface
The subinterface ID is an integer between 1 and 4294967293.
For example, enter the following command:
hostname(config)# interface gigabitethernet0/1.100
Step 2 To specify the VLAN for the subinterface, enter the following command:
hostname(config-subif)# vlan vlan_id
The vlan_id is an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID.
Step 3 To enable the subinterface, enter the following command:
hostname(config-subif)# no shutdown
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
Hope this helps,
Cheers
stefan
07-23-2008 11:59 AM
Victor,
It is very possible that script you copied is meant for a ASA5505 model, the 5505 has an integrated L2 switch, your model 5520 does not have integrated switch.
Again, you need to configure trunking, the way it works is through subinterfaces for your L3 logical configuration , in orther words spliting a physical port into many logical interfaces, that port will then connect to a L2 switch where your VLANS will be configured with respect to the logical in the firewall..
If you need a more specific script let me know.
Rgds
Jorge
07-23-2008 08:04 PM
Ok straight away i'll come to the point, i have two L3 switches configured for HSRP, Now i need to connect these two switches to the firewall, So the firewall inside, and the two L3 switches must have to be in the same subnet.
Please suggest a solution for this scenario, i do not want to use another switch in between the firewall and the l3 switches.
07-24-2008 08:10 AM
Victor,
We need to know what your requirements are in terms of networks and what type of networks they will be, you have couple of L3 switches and you are providing L3 failover through HSRP but for the switches only, you would need a second firewall in order to achive failover on the firewalls throuhg active/standby scenario, you will have only one phisical connection per firewall port to a particular switch, if switch1 fails where fw connects , you still have hsrp to work at the switches for failover but not the firewall, you would have to move the fw physical connection to SW2,... but I suppose what you could do this for firewall connection switch failover, I have not done it this way nor I would, maybe someone could comment on this one, say use another fw physical interface with same sec level one connection from FW to SW1 and one Connection to SW2 but this becomes very messy ASA and HSRP I don't believe is possible in the scenario we are all familiar in IOS, hsrp pass through sure but not the way like in IOS, I don't know perhaps a litlle more thinking if time is feasable, and test it.
Going back to the begining , will these switches be your inside paremeter, I would first schetch down in writing or diagram how may inside networks you required, since you have L3 switchs I would recommend to have them perform inter-vlan routing, for networks that required to be isolated as DMZs or Public access networks I would have them in separate L2 switches.
Rgds
Jorge
07-27-2008 07:22 PM
The scenario u mentioned works, you might want to have a look at someone else's post that is even more clear.
thankyou very much
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: