asa virtual lan

Answered Question
Sep 2nd, 2010

i have an asa to which a switch will be attached. this switch wil have multiple end user ports but all on same vlan, so i have to create vlan on asa port which will attach to the layer2 switch.

how do i create this vlan scene. is subinterface the only possible way.

thank you for help.

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
Jennifer Halim Thu, 09/02/2010 - 04:32

Since ASA will be the L3 hop, you would need to create ASA physical interface in the same VLAN as the users VLAN. Just connect the ASA inside interface to the switch port and assign the switch port the same VLAN as the user VLAN. All users and ASA inside interface will then be in the same VLAN and subnet, and ASA will be the default gateway for your users.

suthomas1 Thu, 09/02/2010 - 08:20

would normal vlan command work on asa for this or there is other way to do this.

it will be great help if commands used for this scene is shown for me .

thank you.

Panos Kampanakis Thu, 09/02/2010 - 10:17

The ASA needs sub-interfaces for the clan command).

But as already suggested if you put 10 users and the ASA interfaces on the same vlans on the switch then the ASA will see all the user traffic. So having all ports of the users and the ASA's inside are access ports for vlan x on the switch then it will work.

I hope it is clear.

PK

suthomas1 Thu, 09/02/2010 - 20:19

thanks, so will it be as below:

int gigabitethernet 0/1.1

  nameif temporary

  vlan 75

security-level 75

ip address 192.168.0.1 255.255.255.0

and all user ports will be on this vlan . correction is welcome, if this is not correct.

Panos Kampanakis Thu, 09/02/2010 - 20:22

No.

What you showed there is only if you need this ASA port to be a trunk that passes many vlans.

If you only want one vlan on this interface you just make the port that this interface connects to on the switch a an access port that belongs to that vlans on the switch.

I hope it is clear now.

PK

Correct Answer
Nagaraja Thanthry Thu, 09/02/2010 - 20:24

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT

Actions

This Discussion