Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa virtual lan

i have an asa to which a switch will be attached. this switch wil have multiple end user ports but all on same vlan, so i have to create vlan on asa port which will attach to the layer2 switch.

how do i create this vlan scene. is subinterface the only possible way.

thank you for help.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: asa virtual lan

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT

6 REPLIES
Cisco Employee

Re: asa virtual lan

Since ASA will be the L3 hop, you would need to create ASA physical interface in the same VLAN as the users VLAN. Just connect the ASA inside interface to the switch port and assign the switch port the same VLAN as the user VLAN. All users and ASA inside interface will then be in the same VLAN and subnet, and ASA will be the default gateway for your users.

New Member

Re: asa virtual lan

would normal vlan command work on asa for this or there is other way to do this.

it will be great help if commands used for this scene is shown for me .

thank you.

Cisco Employee

Re: asa virtual lan

The ASA needs sub-interfaces for the clan command).

But as already suggested if you put 10 users and the ASA interfaces on the same vlans on the switch then the ASA will see all the user traffic. So having all ports of the users and the ASA's inside are access ports for vlan x on the switch then it will work.

I hope it is clear.

PK

New Member

Re: asa virtual lan

thanks, so will it be as below:

int gigabitethernet 0/1.1

  nameif temporary

  vlan 75

security-level 75

ip address 192.168.0.1 255.255.255.0

and all user ports will be on this vlan . correction is welcome, if this is not correct.

Cisco Employee

Re: asa virtual lan

No.

What you showed there is only if you need this ASA port to be a trunk that passes many vlans.

If you only want one vlan on this interface you just make the port that this interface connects to on the switch a an access port that belongs to that vlans on the switch.

I hope it is clear now.

PK

Cisco Employee

Re: asa virtual lan

Hello,

If, on the switch side you have a single VLAN, then you do not need the

subinterface.

On the switch side:

interface gigabitethernet 0/1

Description userport

switchport access vlan 75

exit

interface gigabitethernet 0/24

Description Firewall Inside

switchport access vlan 75

exit

On the firewall:

interface gi 0/1

nameif temporary

security-level 75

ip address 192.168.0.1 255.255.255.0

Exit

Hope this helps.

Regards,

NT

257
Views
11
Helpful
6
Replies