Hi,Have you thought about Sub

Andrew Clark · ‎10-10-2014

I need to configure a firewall to allow several subnets/vlans through it. I'm having trouble figuring out a way for all of the subnets on one side to go through the ASA.

Here is the situation

RouterA P2P-> RouterB -> ASA -> L2Switch

L2Switch has VLANS 187-199

I'm using an ASA5515-X that only has 6 interfaces so i obviously can't have all these subnets connected.

I tried transparent mode but can only have up to 8 BVI's.

Am i over thinking this?

Vibhor Amrodia · ‎10-10-2014

Hi,

Have you thought about Sub Interfaces:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html#wp1082576

Thanks and Regards,

Vibhor Amrodia

Andrew Clark · ‎10-13-2014

I have done subinterfaces but i must be over complicating it.

So the L2 switch has it's usual VLANs, then on the inside interface of the ASA i set up subinterfaces with a transition VLAN, then the outside interface of the firewall is the routers uplink port?

I'm going to make a visio of how i invision this going down and upload it here.

Marvin Rhoads · ‎10-13-2014

If you internal switch is only L2 then yes you use subinterfaces.

You need a trunk port from the switch to the ASA so that it tags all of the VLAN traffic destined for each subinterface on the ASA.

Andrew Clark · ‎10-13-2014

I think i understand now. Something like this?

Marvin Rhoads · ‎10-13-2014

The suggestion I made was for an ASA in routed mode - not transparent.

98% of the ASA installations I have seen (and I've seen several hundred) are routed mode.

Andrew Clark · ‎10-13-2014

Ok. Does the outside interface need to be trunked as well or no? I understand that the Inside interface needs to be set up with subinterfaces which essentially turns the inside interface into a trunk. But what about the outside interface?

interface GigabitEthernet0/0
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.187
vlan 187
nameif Inside-187
security-level 100
no ip address
!
interface GigabitEthernet0/1.188
vlan 188
nameif Inside-188
security-level 100
no ip address
!
interface GigabitEthernet0/1.189
vlan 189
nameif Inside-189
security-level 100
no ip address
!
interface GigabitEthernet0/1.190
vlan 190
nameif Inside-190
security-level 100
no ip address

James Leinweber · ‎10-13-2014

No, the outside interface would be not trunked. But the upstream router would need to send all the various subnets to the ASA, and if there is any inbound traffic the ACL's on the outside interface would have to permit it.

-- Jim Leinweber, WI State Lab of Hygiene

Marvin Rhoads · ‎10-13-2014

As Jim correctly noted, there's no trunk necessary upstream.

Routing needs to work as needed - typically we NAT on the firewall to either the interface address (dynamic PAT) or to specific addresses in the outside subnet (static NAT). In either of those cases the upstream router never sees the inside subnets - only the addresses on the connected interface whose subnet it shares with the ASA's outside interface.

In routed mode, your interfaces need to have IP addresses.

Marvin Rhoads · ‎10-10-2014

We typically make a transit VLAN between the switch and the ASA. It has only two L3 addresses - the switch SVI for that VLAN and the ASA inside interface.

You then either run a routing protocol (OSPF or EIGRP) to learn the routes dynamically or else the switch has the ASA address as its default gateway and the ASA has routes (or a summarized route) for the subnets pointing towards the switch.

Marius Gunnerud · ‎10-13-2014

I agree with Vibhor, you need to setup subinterfaces on the ASA and allocate each subinterface to its respective VLAN. The interface on the L2switch which connects to the ASA should be configured as a trunk interface.

That should sort you out.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Multiple Subnets through ASA