cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1160
Views
15
Helpful
8
Replies

ASA 5510 with two subnets behind 'inside' interface?

Albert Succar
Level 1
Level 1

Hi All,

We currently have an ASA 5510 sitting in front of a catalyst 2960 unmanaged switch.  Would it be possible to assign multiple subnets to the inside interface of the ASA without the need to purchase more equipment (an additional router)?  I ask  because we are in the process of changing our internal subnet and we would like to do so with minimal downtime.  So allowing us to have both networks up and slowly transition everything to the new subnet would be our best approach.  All help/suggestions is appreciated.  Thank you in advance!

1 Accepted Solution

Accepted Solutions

Sure it is possible.

You just need to create subinterfaces on the ASA and place those subinterfaces in their respective VLANs.  You also need to trunk the port on the 2960 which connects to the ASA to allow the VLANs to pass over the link.

int gig0/1
no shut

int gig0/1.10
vlan 10
security-level 100
nameif inside1
ip add 10.10.10.1 255.255.255.0

int gig0/1.20
vlan 20
security-level 100
nameif inside2
ip add 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface

As simple as that :-)  Also remember to configure NAT and any required ACLs for the interfaces.  If you require help with these just let us know

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

8 Replies 8

Sure it is possible.

You just need to create subinterfaces on the ASA and place those subinterfaces in their respective VLANs.  You also need to trunk the port on the 2960 which connects to the ASA to allow the VLANs to pass over the link.

int gig0/1
no shut

int gig0/1.10
vlan 10
security-level 100
nameif inside1
ip add 10.10.10.1 255.255.255.0

int gig0/1.20
vlan 20
security-level 100
nameif inside2
ip add 20.20.20.1 255.255.255.0

same-security-traffic permit intra-interface

As simple as that :-)  Also remember to configure NAT and any required ACLs for the interfaces.  If you require help with these just let us know

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts

Thank you for clarifying that for me.  Currently, here is our inside interface: 

interface Ethernet0/1
 nameif NJinternalIPs
 security-level 100
 ip address 192.168.1.2 255.255.255.0 

As you can see, no VLAN was setup for this interface.  If I was to go with your approach, would I need to create 2 new sub-interfaces with their own associated VLAN?  Or could I leave the existing interface and create 1 sub-interface with its own VLAN?  I hope I worded that question correctly.  

I have never tested this, So might do so soon :-) , I am not sure if the main interface will be tagged with the native VLAN...So to be on the safe side, I would suggest creating subinterfaces for both VLANs

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Based on what I've been reading, this may be the best approach.

There are several switches behind the 2960 switch.  Would any configuration need to be done on these switches as-well?  Or would I just need to trunk the port going from 2960 -> ASA.

 

You would just need to make sure that all the required VLANs are trunked to the 2960 switch connected to the ASA and that these same VLANs are also trunked to the ASA, and that the ASA has a subinterface for each VLAN.

And it should go without saying that each subinterface on the ASA will be the default gateway for hosts in their respective VLANs

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thank you for your help. As you can tell, I'm fairly new to this process so please bear with me.

If I understand you correctly, all switches behind the 2960 do not need to be adjusted.  Host traffic will flow through these switches and hit the 2960.  The port going from 2960 to ASA will be trunked and the ASA will have the sub-interfaces configured for each VLAN.

Will I also need to create these VLANS on the switch itself? Again, sorry for the stupid questions.  I am trying to get a good understanding before moving forward.

Not to worry, there are no stupid questions :-)

The VLANs will need to configured on all the switches and all the ports that connect between the switches need to be trunked.  this is important, otherwise the VLAN traffic will not be transported to the next switch.  It is possible that this is already done.

int gig0/1
description "Link between switches"
switchport mode trunk
switchport trunk encapsulation dot1q

 

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thank you!  You have been a great help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: