Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multiple Subnets through ASA

I need to configure a firewall to allow several subnets/vlans through it. I'm having trouble figuring out a way for all of the subnets on one side to go through the ASA.

 

Here is the situation

 

RouterA P2P-> RouterB -> ASA -> L2Switch

 

L2Switch has VLANS 187-199

 

I'm using an ASA5515-X that only has 6 interfaces so i obviously can't have all these subnets connected.

I tried transparent mode but can only have up to 8 BVI's.

 

Am i over thinking this?

10 REPLIES
Cisco Employee

Hi,Have you thought about Sub

Hi,

Have you thought about Sub Interfaces:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html#wp1082576

Thanks and Regards,

Vibhor Amrodia

New Member

I have done subinterfaces but

I have done subinterfaces but i must be over complicating it.

 

So the L2 switch has it's usual VLANs, then on the inside interface of the ASA i set up subinterfaces with a transition VLAN, then the outside interface of the firewall is the routers uplink port?

 

I'm going to make a visio of how i invision this going down and upload it here.

Hall of Fame Super Silver

If you internal switch is

If you internal switch is only L2 then yes you use subinterfaces.

You need a trunk port from the switch to the ASA so that it tags all of the VLAN traffic destined for each subinterface on the ASA.

New Member

I think i understand now.

I think i understand now. Something like this?

 

 

Hall of Fame Super Silver

The suggestion I made was for

The suggestion I made was for an ASA in routed mode - not transparent.

98% of the ASA installations I have seen (and I've seen several hundred) are routed mode.

New Member

Ok. Does the outside

Ok. Does the outside interface need to be trunked as well or no? I understand that the Inside interface needs to be set up with subinterfaces which essentially turns the inside interface into a trunk. But what about the outside interface? 

 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.187
 vlan 187
 nameif Inside-187
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.188
 vlan 188
 nameif Inside-188
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.189
 vlan 189
 nameif Inside-189
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.190
 vlan 190
 nameif Inside-190
 security-level 100
 no ip address

No, the outside interface

No, the outside interface would be not trunked.  But the upstream router would need to send all the various subnets to the ASA, and if there is any inbound traffic the ACL's on the outside interface would have to permit it.

-- Jim Leinweber, WI State Lab of Hygiene

Hall of Fame Super Silver

As Jim correctly noted, there

As Jim correctly noted, there's no trunk necessary upstream.

Routing needs to work as needed - typically we NAT on the firewall to either the interface address (dynamic PAT)  or to specific addresses in the outside subnet (static NAT). In either of those cases the upstream router never sees the inside subnets - only the addresses on the connected interface whose subnet it shares with the ASA's outside interface. 

In routed mode, your interfaces need to have IP addresses.

Hall of Fame Super Silver

We typically make a transit

We typically make a transit VLAN between the switch and the ASA. It has only two L3 addresses - the switch SVI for that VLAN and the ASA inside interface.

You then either run a routing protocol (OSPF or EIGRP) to learn the routes dynamically or else the switch has the ASA address as its default gateway and the ASA has routes (or a summarized route) for the subnets pointing towards the switch.

VIP Green

I agree with Vibhor, you need

I agree with Vibhor, you need to setup subinterfaces on the ASA and allocate each subinterface to its respective VLAN.  The interface on the L2switch which connects to the ASA should be configured as a trunk interface.

That should sort you out.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
216
Views
0
Helpful
10
Replies