Sub interface on ASA 5520

Unanswered Question
Nov 11th, 2010
User Badges:

Hi All,

I am trying to configure a subinterface on my ASA 5520 on the inside interface.  I have created the sub Int with vlan 900 and an ip assignment of /24.

It is enabled.

But my core router can't see the interface.  So the question is this.  If I use sub interfaces on my ASA does it need to be trunked to my core router in order to pass more than one vlan to and from the inside asa port?

So all of my other interfaces are labeled under vlan as "Native" . I am looking at this through the asdm atm.

What I want to do, and this might be more info than you need.  I want to have a wireless ap connected to a L2 switch trunked to another L2 switch that is trunked to my L2/L3 core switch / router.

And then from the core switch/router is connected through a VLAN (And physically) to the inside (non VLAN assigned other than default) to the inside physical port on the asa.  The traffic on this VLAN 900 (The wireless access from the ap) needs to be pretty private from the ap to the asa and then allowed out to the Internet and back.

I was told when posing this question in the Wireless forum that it should be pretyt easy to do by just assigning a new VLAN (This would be VLAN 900) to the radios and interface on the ap, then not setting up a vlan int for this new vlan on the switches it passes through, but to just set the vlan 900 on each switch to male sure it trunks.  By doing this the ip wouldn't get router at the core, but instead pass through to the gateway which would be the asa on the sub interface.

Now this isn't working atm, but I have verified by setting an int vlan 900 ip address on each switch along the way to make sure the traffic is making it from the ap through the trunks to the core.  I even having it pick up an ip address from a dhcp server (Windows server) So I know broadcast is working as well to the core.  What seems to be the issue is between the core and the asa so I suspect I have something missing or a concept missing on my part.

Any suggestions and or help on this would be appreciated.


Kevin Pulford

Systems Administrator

Harmon City, Inc.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 11/11/2010 - 10:25
User Badges:
  • Green, 3000 points or more

Hi Kevin,

What you said is correct:

>>> But my core router can't see the interface.  So the question is this.   If I use sub interfaces on my ASA does it need to be trunked to my core  router in >>> order to pass more than one vlan to and from the inside asa  port?

When you configure the physical interface on the ASA to use subinterfaces, the physical interface becomes a trunk.

The connection to the router should be a trunk in order for the router to see the IP appropiately.

Let us know if you need ay help with this.


kpulford123 Thu, 11/11/2010 - 10:47
User Badges:

Tank you both for your time and responses.

That makes some sense.  Now the trick is to get this done without droping many packets. :-)

So does the asa trunking setup like a switch or router trunk, where I have to set the switchport mode trunk and then the switchport trunk native and the vlan I want untagged traffic on.  In this case the assigned vlan for the traffic between the asa and the core is vlan 251 already so I could just use that as the native trunk.

I ask this because when I kicked the 2950 switch into trunk so I could trunk to the ap (Cisco 1252) I didn't have to do anything on the ap at all to make it use the trunk.  If the ASA would work this way then I could do this with minimal loss and have it work. If I have to setup the trunk on the inside port first it will lose connection tot he core until I get that side fixed up as well. Won't it?

So again my core is already setup to use vlan 251 along with a physical connection directly to the asa inside physical port.  But is it not set to trunk on either side currently.

So perhaps on the core (3750 switch) I would go a

conf t

int gi 1/0/22

switchport mode trunk native vlan 251

switchport mode trunk

and perhaps

encapsulation dot1q    

Is that correct?

Than on the asa side would I need to pretty much do the same thing?

So the inside port is gi 0/1

Or will it automatically try to negotiate the trunk once the port the asa is conencted to is put into trunk?

Again, I really appreciate all of your help and suggestions.


Kevin Pulford

Federico Coto F... Thu, 11/11/2010 - 10:58
User Badges:
  • Green, 3000 points or more


As soon as you configure subinterfaces on the ASA, the physical interface becomes a trunk.

This means that there's no additional trunking configuration needed on the ASA side.

Just make sure that the other end of the connection (router/switch) is configured correctly to trunk to the ASA and not having native VLAN mismatches.


kpulford123 Thu, 11/11/2010 - 11:23
User Badges:

Thank you so much for your time and response.

So that brings up a good point about the vlan mismatches.

Since the vlan traffic was for routing and broadcast on the core orginally.  The only thing that was tying our core to the asa was the ip range was the same.  (Only 2 thinkgs in there atm)

So when I add the sub interface of gi 0/1.900, gi 0/1 is still showing up as the native vlan, but doesn't have vlan 251 showing.  Vlan 251 is the vlan between the asa and the core.

So the question is, Do I need to add a sub interface on the asa for the vlan 251 traffic and assign it the security level of 100 to mimic the way it was working before needing to add this sub interface?  Or when I trunk on teh core and use vlan 251 as the native trunk vlan will that be okay?

By the way this new sub interface has a security level of just 10 whcih if I understand this correctly, it will prevet anyone on the security level 10 interface from getting to my security level 100 interface, but still aloow it out my outside port on the asa which is security level 0.  Is that correct?

So again my main question is:  Do I need to add a second sub interface to get all of my main traffic out the asa?  Or will the native Vlan of 251 (Which is the current VLAN (Not configured explicitly on the asa) handle all of the traffic out the gi 0/1 interface, once trunked as native on the core and just segment the vlan 900 on gi 0/1.900 (My security level 10 sub interface on the asa) as the more secure interface at the asa?

I really appreciate your time and all of your help with this.


Kevin Pulford

Kureli Sankar Thu, 11/11/2010 - 11:43
User Badges:
  • Cisco Employee,


You are making this too complicated

conf t

int gi 1/0/22

switchport mode trunk native vlan 251  ----------> remove this

switchport mode trunk

switchport turnk allowed vlan x,y,z

where x,y,z are all the vlans that you have configured for the sub-interfaces on the firewall.

The main interface on the firewall should not be configured with a nameif or ip address.

Just configure the sub-interfaces like any other interface on the firewall. It doesn't matter what security level they have.

If you want the native vlan 251 on the firewall configure another port on the switch for switchport mode access and put it on that vlan and use a completely diff. port on the firewall and plug that to this switchport that you configured for native vlan.


kpulford123 Thu, 11/11/2010 - 12:09
User Badges:

Thank you for your response.

Okay so I don't need to use the native vlan 251 on the inside interface connected to the 3750.  It looks like the answer to part of my question is that yes I need to create a sub interface for each vlan I am passing to the asa from the core (3750).

Currently that will be just 2 so that won't be a big deal.  However, the big deal will be my management and inside interfaces are the same currently, its the way our consultant set this up.  So when I create the sub interface for the vlan 251 and give it an ip address, I will most likely lose connectivity to my asa.I can work around this with a console cable.

So then I put the physically attached 3750 port into trunk mode and just allow the 2 vlans?

So on the sub interfaces, on the asa, thats where I setup my security level is that right?  Instead of having it on the primary asa interface.

One last question.  If I don't use the "Native vlan" statement, will I still be able to mange my ASA from the inside subinterface for vlan 251?

Please keep in mind that our consultant setup this asa with the internal interface as the management interface as well.  So it would be bad if I were to lose management ability to the asa for more than the time it takes to setup the trunk.

Thank you for your time and help with this I appreciate it.


Kevin Pulford


This Discussion