Trunk off a ASA 5520?

Unanswered Question
Sep 6th, 2008


I have a ASA 5520 and a spare 3750 switch. Is it possible to create a DMZ/VLAN on the ASA using the 3750?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Sat, 09/06/2008 - 06:14

if u have free port interface on ur asa u can make a vlan on the switch and because it is L3 switch u can either creat SVI or routed interface on the switch belong to that vlan subnet and connected to the ASA port and configure it as DMZ

if u dont have enough port u can do the same thing on the switch creat VLANs and make the port to the ASA as trunk and on the ASA cear subinterfaces and each subinterface can be treated as separte interface with all configs like security level IPs but keep in mind the ASA u se do1q trunking so make the switch trunk as dot1q

in both solusions dont make routing in the switch instead make the communications between VLANs thorugh the ASA to achieve ur requirement as a saparte DMZ

good luck

if helpful Rate

It really doesn't matter on which switch you do it, i would rather suggest you create sub-interfaces on the inside interface of ASA 5520, and assign differnt vlans to each sub-interface. However, do keep in mind that sub-interfaces in ASA are bit tricky than the sub-interfaces in routers. Keep an eye on term "L2 decode error" in sh interface..It is just like Vlan mismatch sort of error, to give you hint to check your vlan settings and connections.

Here is the link to configure virtual interface on ASA.

plz rate helpful posts.



Marwan ALshawi Sat, 09/06/2008 - 07:28

Mohsin the subinterface not the only option as i mention above in my post u can do it thorugh saparte physical interface or through subinterface

however if he has a free port on the ASA it is better to make through a saparte interface rather than subinterface

but both work

thank you

whiteford Sat, 09/06/2008 - 07:35

I'm just wondering if I have to create more DMZ/VLAN's then subinterfaces is the best option as the ASA only has one spare port free.

Marwan ALshawi Sat, 09/06/2008 - 08:52

hi there

could please,just tell me in more details what u look to achieve to let me help u more precisly?

thank you

whiteford Sat, 09/06/2008 - 09:23

No problem, I have a Cisco ASA 5520 and I want to create some VLAN's for webservers and maybe some other VLAN's in the future for other projects. I would like them to be firewalled throught the ASA. I have a spare 3750, and it seems the best approach as I only have 1 spare gigabit port left (inside, outside, failover, spare).

Is is a good approach to trunk off the 5520 into the 3750 and create subinterfaces?

Marwan ALshawi Sun, 09/07/2008 - 03:46

ya sure

make subinterfaces on the spare and it will already trunk it with do1q on the switch side amke dot1q trunk and creat vlans on the 3750 switch but dont not make any routing between throse vlans on the switch as u want the commnunication between them to be firewalled through the ASA

only what u need is to give each sub interface security level and ip address and vlan number corsponding to tthe vlan on the switch

on the hosts make the default gateway the subinterface of the ASA in the corsponding vlan

and then u can make ACLs and whatever u want to control the communication between ASA interfaces subinterfaces and non-subinterfaces

good luck

if helpful Rate


This Discussion