Solved: asa virtual lan

suthomas1 · ‎09-02-2010

i have an asa to which a switch will be attached. this switch wil have multiple end user ports but all on same vlan, so i have to create vlan on asa port which will attach to the layer2 switch.

how do i create this vlan scene. is subinterface the only possible way.

thank you for help.

Nagaraja Thanthry · ‎09-02-2010

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT

View solution in original post

Jennifer Halim · ‎09-02-2010

Since ASA will be the L3 hop, you would need to create ASA physical interface in the same VLAN as the users VLAN. Just connect the ASA inside interface to the switch port and assign the switch port the same VLAN as the user VLAN. All users and ASA inside interface will then be in the same VLAN and subnet, and ASA will be the default gateway for your users.

suthomas1 · ‎09-02-2010

would normal vlan command work on asa for this or there is other way to do this.

it will be great help if commands used for this scene is shown for me .

thank you.

Panos Kampanakis · ‎09-02-2010

The ASA needs sub-interfaces for the clan command).

But as already suggested if you put 10 users and the ASA interfaces on the same vlans on the switch then the ASA will see all the user traffic. So having all ports of the users and the ASA's inside are access ports for vlan x on the switch then it will work.

I hope it is clear.

PK

suthomas1 · ‎09-02-2010

thanks, so will it be as below:

int gigabitethernet 0/1.1

nameif temporary

vlan 75

security-level 75

ip address 192.168.0.1 255.255.255.0

and all user ports will be on this vlan . correction is welcome, if this is not correct.

Panos Kampanakis · ‎09-02-2010

No.

What you showed there is only if you need this ASA port to be a trunk that passes many vlans.

If you only want one vlan on this interface you just make the port that this interface connects to on the switch a an access port that belongs to that vlans on the switch.

I hope it is clear now.

PK

Nagaraja Thanthry · ‎09-02-2010

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT