cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2283
Views
0
Helpful
7
Replies

ASA5510:configure two subnets on one Interface

David Lin
Level 1
Level 1

I am working on ASA5510 which has 3 ethernet interfaces. I have allocated outside, inside, DMZ for each interface. But I want to configure two subnets on inside interface.

I found there are 4 physical ports in the ethernet interface. The light is on when I pluged a device into the fourth port, but I can't do anything on it. Is it possible to use this port?

If not, can we use management interface as a subnetwork interface? or use subinterface on inside interface?

TIA.

2 Accepted Solutions

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

David,

You have 0,1,2,3 ethernet ports plus manament port interface.

if you already allocated 0 as your outside interface and say the inside is on port 1 you could use dot1q and trunk it to your inside switch, have the subinterfaces in asa inside for your two inside subnets. The 1 or 0 ports can also operate at gig speed interfaces if your asa has sec plus license, if not sec plus license you can still do dot1q trunking.

Gig speed feature

http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn723.html#wp272663

Subinterfaces

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

As for the manangement port technically you can use this port as a routed port just like the other ports as long you remove management only command off that interface, but best is to leave it as management port for management purposes .. my recommendation is to take advantage of gig speed and use trunking for multiple subnets.

Regards

Jorge Rodriguez

View solution in original post

If you have cco account for software download access load the latest version 8.2(1) [asa821-k8.bin] along with asdm version 6.2 (asdm-621.bin), even though is ED (early deployment) status I have been running it with no issues.

software download CCO login required

http://tools.cisco.com/support/downloads/go/InterfaceModuleSWT.x?mdfid=279916854&mdfLevel=Model&treeName=Security&modelName=Cisco%20ASA%205510%20Adaptive%20Security%20Appliance&treeMdfId=268438162

looked at asa811-smp-k8.bin code,this code is meant to be loaded on ASA5580-20 and ASA5580-40 models only based on software download description notes. You can try 8.0(2) asa802-k8.bin - this is release notes for 802 for reference http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html

in cd there shoudl be asdm image for 802 version as well, you will need asdm upgrade for 802... but if you have cco access download latest codes.

as usual when upgrading backup current code and asdm immage as well as your config to an tftp server, save the output of "show version" .

loading the imgage to disk0 should be fairly simple , you can do it through asdm gui or cli which is easier, keep in mind if done through cli to update boot statement and asdm statements accordingly to reflect new codes. If you need help let us know.

regards

Jorge Rodriguez

View solution in original post

7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

David,

You have 0,1,2,3 ethernet ports plus manament port interface.

if you already allocated 0 as your outside interface and say the inside is on port 1 you could use dot1q and trunk it to your inside switch, have the subinterfaces in asa inside for your two inside subnets. The 1 or 0 ports can also operate at gig speed interfaces if your asa has sec plus license, if not sec plus license you can still do dot1q trunking.

Gig speed feature

http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn723.html#wp272663

Subinterfaces

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

As for the manangement port technically you can use this port as a routed port just like the other ports as long you remove management only command off that interface, but best is to leave it as management port for management purposes .. my recommendation is to take advantage of gig speed and use trunking for multiple subnets.

Regards

Jorge Rodriguez

Unfortunately, my ASA5510 has ethernet interface only(it's mistake in the oder). So I have to go for subinterface now.

Just curious, how come the unit has 4 physical ports but the IOS only show 3 interfaces are available(ethernet0/0,0/1,0.2)?

Hi David thanks for rating, most likely would be the code your asa has.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Based on ASA comparison and licensing, base license should provide 5 10/100 interfaces which includes the management interface.. so technically you should be able to see all 5 interfaces.

On the other hand with Sec Plus license shown in red print from above link you will have 2 10/100/1000baseT interfaces and 3 10/100 including management one..

So I sort of lean to think it is a code limitation probably under the 7.x code which you probably are running.

Regards

Jorge Rodriguez

Thank you. The image is 7.08 and the license is very basic. The e0/3 is not licensed.

I have image asa811-smp-k8.bin and asa802-k8.bin come with a CD in the packaged box. Can I just load it and upgrade to the later verison? Does it help?

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0 : address is 0024.97f0.3e68, irq 9

1: Ext: Ethernet0/1 : address is 0024.97f0.3e69, irq 9

2: Ext: Ethernet0/2 : address is 0024.97f0.3e6a, irq 9

3: Ext: Not licensed : irq 9

4: Ext: Management0/0 : address is 0024.97f0.3e6c, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : 4

Maximum VLANs : 10

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 50

If you have cco account for software download access load the latest version 8.2(1) [asa821-k8.bin] along with asdm version 6.2 (asdm-621.bin), even though is ED (early deployment) status I have been running it with no issues.

software download CCO login required

http://tools.cisco.com/support/downloads/go/InterfaceModuleSWT.x?mdfid=279916854&mdfLevel=Model&treeName=Security&modelName=Cisco%20ASA%205510%20Adaptive%20Security%20Appliance&treeMdfId=268438162

looked at asa811-smp-k8.bin code,this code is meant to be loaded on ASA5580-20 and ASA5580-40 models only based on software download description notes. You can try 8.0(2) asa802-k8.bin - this is release notes for 802 for reference http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html

in cd there shoudl be asdm image for 802 version as well, you will need asdm upgrade for 802... but if you have cco access download latest codes.

as usual when upgrading backup current code and asdm immage as well as your config to an tftp server, save the output of "show version" .

loading the imgage to disk0 should be fairly simple , you can do it through asdm gui or cli which is easier, keep in mind if done through cli to update boot statement and asdm statements accordingly to reflect new codes. If you need help let us know.

regards

Jorge Rodriguez

After upgrading the image, I can manage the forth port now!(the license keeps no change, such FO is still disabled)

The another way by using subinterface also works for me.

Thank you for your kind help!

David, thanks for updating post, glad all working out with new code.

The failover feature is still disabled becuase it is not suported with base license, to use failover down the road when you get another asa5510 will require security plus license on both to use active/standby architecture.

Again thanks for rating .

Regards

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: