07-28-2009 08:44 AM - edited 03-11-2019 08:59 AM
I am working on ASA5510 which has 3 ethernet interfaces. I have allocated outside, inside, DMZ for each interface. But I want to configure two subnets on inside interface.
I found there are 4 physical ports in the ethernet interface. The light is on when I pluged a device into the fourth port, but I can't do anything on it. Is it possible to use this port?
If not, can we use management interface as a subnetwork interface? or use subinterface on inside interface?
TIA.
Solved! Go to Solution.
07-28-2009 10:06 AM
David,
You have 0,1,2,3 ethernet ports plus manament port interface.
if you already allocated 0 as your outside interface and say the inside is on port 1 you could use dot1q and trunk it to your inside switch, have the subinterfaces in asa inside for your two inside subnets. The 1 or 0 ports can also operate at gig speed interfaces if your asa has sec plus license, if not sec plus license you can still do dot1q trunking.
Gig speed feature
http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn723.html#wp272663
Subinterfaces
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
As for the manangement port technically you can use this port as a routed port just like the other ports as long you remove management only command off that interface, but best is to leave it as management port for management purposes .. my recommendation is to take advantage of gig speed and use trunking for multiple subnets.
Regards
07-28-2009 02:33 PM
If you have cco account for software download access load the latest version 8.2(1) [asa821-k8.bin] along with asdm version 6.2 (asdm-621.bin), even though is ED (early deployment) status I have been running it with no issues.
software download CCO login required
looked at asa811-smp-k8.bin code,this code is meant to be loaded on ASA5580-20 and ASA5580-40 models only based on software download description notes. You can try 8.0(2) asa802-k8.bin - this is release notes for 802 for reference http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html
in cd there shoudl be asdm image for 802 version as well, you will need asdm upgrade for 802... but if you have cco access download latest codes.
as usual when upgrading backup current code and asdm immage as well as your config to an tftp server, save the output of "show version" .
loading the imgage to disk0 should be fairly simple , you can do it through asdm gui or cli which is easier, keep in mind if done through cli to update boot statement and asdm statements accordingly to reflect new codes. If you need help let us know.
regards
07-28-2009 10:06 AM
David,
You have 0,1,2,3 ethernet ports plus manament port interface.
if you already allocated 0 as your outside interface and say the inside is on port 1 you could use dot1q and trunk it to your inside switch, have the subinterfaces in asa inside for your two inside subnets. The 1 or 0 ports can also operate at gig speed interfaces if your asa has sec plus license, if not sec plus license you can still do dot1q trunking.
Gig speed feature
http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn723.html#wp272663
Subinterfaces
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
As for the manangement port technically you can use this port as a routed port just like the other ports as long you remove management only command off that interface, but best is to leave it as management port for management purposes .. my recommendation is to take advantage of gig speed and use trunking for multiple subnets.
Regards
07-28-2009 11:50 AM
Unfortunately, my ASA5510 has ethernet interface only(it's mistake in the oder). So I have to go for subinterface now.
Just curious, how come the unit has 4 physical ports but the IOS only show 3 interfaces are available(ethernet0/0,0/1,0.2)?
07-28-2009 01:06 PM
Hi David thanks for rating, most likely would be the code your asa has.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Based on ASA comparison and licensing, base license should provide 5 10/100 interfaces which includes the management interface.. so technically you should be able to see all 5 interfaces.
On the other hand with Sec Plus license shown in red print from above link you will have 2 10/100/1000baseT interfaces and 3 10/100 including management one..
So I sort of lean to think it is a code limitation probably under the 7.x code which you probably are running.
Regards
07-28-2009 01:28 PM
Thank you. The image is 7.08 and the license is very basic. The e0/3 is not licensed.
I have image asa811-smp-k8.bin and asa802-k8.bin come with a CD in the packaged box. Can I just load it and upgrade to the later verison? Does it help?
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 0024.97f0.3e68, irq 9
1: Ext: Ethernet0/1 : address is 0024.97f0.3e69, irq 9
2: Ext: Ethernet0/2 : address is 0024.97f0.3e6a, irq 9
3: Ext: Not licensed : irq 9
4: Ext: Management0/0 : address is 0024.97f0.3e6c, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 50
07-28-2009 02:33 PM
If you have cco account for software download access load the latest version 8.2(1) [asa821-k8.bin] along with asdm version 6.2 (asdm-621.bin), even though is ED (early deployment) status I have been running it with no issues.
software download CCO login required
looked at asa811-smp-k8.bin code,this code is meant to be loaded on ASA5580-20 and ASA5580-40 models only based on software download description notes. You can try 8.0(2) asa802-k8.bin - this is release notes for 802 for reference http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html
in cd there shoudl be asdm image for 802 version as well, you will need asdm upgrade for 802... but if you have cco access download latest codes.
as usual when upgrading backup current code and asdm immage as well as your config to an tftp server, save the output of "show version" .
loading the imgage to disk0 should be fairly simple , you can do it through asdm gui or cli which is easier, keep in mind if done through cli to update boot statement and asdm statements accordingly to reflect new codes. If you need help let us know.
regards
07-29-2009 10:31 AM
After upgrading the image, I can manage the forth port now!(the license keeps no change, such FO is still disabled)
The another way by using subinterface also works for me.
Thank you for your kind help!
07-29-2009 03:52 PM
David, thanks for updating post, glad all working out with new code.
The failover feature is still disabled becuase it is not suported with base license, to use failover down the road when you get another asa5510 will require security plus license on both to use active/standby architecture.
Again thanks for rating .
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: