Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4862
Views
5
Helpful
5
Replies

ASA5520- VLANs and Subinterfaces

Go to solution
siddhartham
Level 4
Level 4

‎08-21-2012 03:06 PM - edited ‎03-11-2019 04:44 PM

ASA's G0/2 interface is connected to G0/1 interface of a 3560G switch in DMZ, below is the config and diagram

ASA config

interface GigabitEthernet0/2

description  DMZ

nameif dmz

security-level 90

ip address 192.168.0.1 255.255.255.0

Switch Config

int g0/1

switchport mode trunk

switchport trunk encapsulation dot1q

int vlan 1

ip add 192.168.0.100 255.255.255.0

We are running out of IPs in 192.168.0.X network and planning on creating subinterfaces on the ASA and trunk it to the switch so that we can have multiple VLANs in DMZ. Tried the below config in LAB but that didn't work, can you have a look at it and let me know if I miss anything.

No change on the switch config since G0/1 is already a trunk port.

ASA Config

interface GigabitEthernet0/2

description Trunk to DMZ networks

no nameif dmz

no security-level 90

no ip address 192.168.0.1 255.255.255.0

interface GigabitEthernet0/2.1

description DMZ

vlan 1

nameif dmz

security-level 90

ip address 192.168.0.1 255.255.255.0

interface GigabitEthernet0/2.100

description NEW-DMZ

vlan 100

nameif NEW-dmz

security-level 90

ip address 192.168.100.1 255.255.252.0

If I change the VLAN on the switch from 1 to a different VLAN, say VLAN 50 for example, and configure the ASA accrodingly its working fine.

Siddhartha       

Siddhartha
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to siddhartham

‎08-22-2012 09:48 AM

Hello Sidd,

Can you change the native vlan on the trunk  as 1 is the default

interface G0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

no spanning-tree portfast ( I do not recommend this command at all unless you are connecting it to a server and I still will not use it)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎08-21-2012 04:36 PM

Hello Sidd,

So if you do "sh run interface" you do not see any configuration on the physical interface of the ASA, only on it's interfaces.

Please let me know that,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
siddhartham
Level 4
Level 4
In response to Julio Carvajal

‎08-22-2012 08:20 AM

Hi Julio,

Thanks for the reply. Yes you are right, no config on the physcial inteface only on the sub interfaces. Below are the sh runs from the firewall and the switch

ASA

interface GigabitEthernet0/2

description Trunk to DMZ networks

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1

description DMZ

vlan 1

nameif dmz

security-level 90

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2.100

description NEW-DMZ

vlan 100

nameif NEW-dmz

security-level 90

ip address 192.168.100.1 255.255.252.0

Switch

!

interface G0/1

switchport trunk encapsulation dot1q

switchport mode trunk

spanning-tree portfast

end

DMZ-A#sh run int vlan 1

Building configuration...

Current configuration : 63 bytes

!

interface Vlan1

ip address 192.168.0.100 255.255.255.0

end

DMZ-A#sh run int vlan 100

Building configuration...

Current configuration : 67 bytes

!

interface Vlan100

ip address 192.168.100.100 255.255.252.0

end

only VLAN1 is not working, VLAN100 is working fine. I configured VLAN 100 on the switch and was able to ping the VLAN 100 ip(192.168.100.100) from the ASA but can't ping VLAN 1  IP

ASA/# ping 192.168.100.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:

?!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

ASA# ping 192.168.0.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.100, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Siddhartha

Siddhartha
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to siddhartham

‎08-22-2012 09:48 AM

Hello Sidd,

Can you change the native vlan on the trunk  as 1 is the default

interface G0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

no spanning-tree portfast ( I do not recommend this command at all unless you are connecting it to a server and I still will not use it)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
siddhartham
Level 4
Level 4
In response to Julio Carvajal

‎08-22-2012 10:04 AM

Thanks Julio. Its working, I missed that part.

Siddhartha

Siddhartha
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to siddhartham

‎08-22-2012 10:34 AM

Hello Sid,

Sure my pleasure.

If you wanted to allow traffic from the native vlan you will need to have a nameif on the physical interface

Glad I could help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card