03-26-2008 01:57 PM - edited 03-11-2019 05:22 AM
Hi.. I really need help. I have an ASA 5540 and I need to configure its outside interface to communicate with two diferents routers with ip address: 200.184.x.x and 172.16.x.x. The ASA outside interface is plugged on a HUB and the routers too. The ASA outside IP is 200.184.x.x and i need make it to communicate with the another router 172.16.x.x. Please, how can i do that?
03-27-2008 02:31 AM
unless you create logical interface under your outside physical interface.
03-27-2008 02:35 AM
To create subinterfaces on an appliance, you can use the interface command followed by the interface name and the subinterface number, as shown in the following syntax:
interface physical_interface.subinterface
Here, physical_interface is the actual physical interface and subinterface is an integer between 1 and 4,294,967,295. Example 4-13 demonstrates how to create a subinterface 300 on GigabitEthernet0/0.
Example 4-13. Creating a Subinterface
Chicago# configure terminal
Chicago(config)# interface GigabitEthernet0/0.300
Once you have created a subinterface, the next step is to associate the interface with a unique VLAN identity. Assign a VLAN ID by using the vlan subinterface configuration command followed by the actual VLAN ID, which ranges between 1 and 4096. In Example 4-14, the administrator has linked GigabitEthernet0/0.300 to vlan 300. Although the subinterface number and the VLAN ID do not have to match, it is a good practice to use the same number for ease of management.
Example 4-14. Associating a VLAN ID to a Subinterface
Chicago# configure terminal
Chicago(config)# interface GigabitEthernet0/0.300
Chicago(config-if)# vlan 300
Caution
If the main physical interface is shut down, all the associated subinterfaces are disabled as well.
The subinterface is configured identically to a physical interface, using the nameif, security-level, and ip address commands. It does not, however, allow the use of speed and duplex commands, discussed in the previous section. Example 4-15 shows a subinterface GigabitEthernet0/0.300 configuration that is set up as a DMZ interface with the security level 30 and an IP address of 192.168.20.1/24 in VLAN 300.
Example 4-15. Configuring Subinterface Parameters
Chicago# configure terminal
Chicago(config)# interface GigabitEthernet0/0.300
Chicago(config-if)# vlan 300
Chicago(config-if)# nameif DMZ
Chicago(config-if)# security-level 30
Chicago(config-if)# ip address 192.168.20.1 255.255.255.0
Note
Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.
03-27-2008 04:43 AM
ok, but, i did it and i still cant ping the router interface 172.16x.x and the ASA doesn't show me any log error. I thinks its because im setting a VLAN ID to the subinterface. My interfaces configurations are:
interface GigabitEthernet0/1
nameif WAN
security-level 0
ip address 200.184.0.1 255.255.255.0
interface GigabitEthernet0/1.1
vlan 1
nameif CLIENT
security-level 0
ip addres 172.16.0.1 255.255.255.0
See the attachment too.
Please help me
Thanks
03-27-2008 07:38 AM
"The ASA outside interface is plugged on a HUB and the routers too. "
This will NOT work unless you connected the ASA
into a switch that is capable of doing
802.1Q. I guess whoever gave you this advice
did not read the thread carefully.
If you want this to work and you do NOT have
a switch, replace the ASA with either another
router or a Nokia appliance running checkpoint
and it will work. Router and Nokia appliance
have the ability to do secondary IP address.
CCIE Security
03-27-2008 07:47 AM
Ok. Now i have a 2950 switch between the ASA and the routers. The ASA is on the port 1, the router with IP 200.184.x.x on port 2 and the other router with ip 172.16.x.x on port 3.
The 2950 configuration is:
interface FastEthernet0/1
description *connected to ASA*
interface FastEthernet0/2
description INTERNET
interface FastEthernet0/3
description CLIENT
What should i do to work?
Thanks
03-27-2008 08:28 AM
interface GigabitEthernet0/1
switchport mode trunk
switch trunk native vlan 1
switch trunk allowed vlan all
speed 100
duplex full
interface F0/2
switch mode access
switch access vlan 1
speed auto
dup auto
no shut
spanning-tree portfast
interface F0/3
switch mode access
switch access vlan 2
speed auto
dup auto
no shut
spanning-tree portfast
Now setup your ASA device as you did before, the ASA should be able to communicate with the
routers.
CCIE Security
03-27-2008 10:21 AM
Should I do some configuration at Subinterface0/1.1?
03-27-2008 12:28 PM
you dont need to change anything on your subinterface. i dont think i took in to consideration you have are using hub. sorry my mistake. your physical interface on the ASA should be connected to your switch trunk interface Fa0/1 like you mentioned above and the interface router on Fa0/2.
Note
Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.
have tested it on a lab properly. The config below i used.
#Create a vlan 2
interface GigabitEthernet0/1
des ASA Int Gi0/0
switchport mode trunk
no shut
interface F0/2
Router
switch mode access
switch access vlan 2
spanning-tree portfast
My ASA 172.16.0.1 (Sub interface) can ping router 172.16.0.2.on Fa0/1 in vlan 2
03-27-2008 12:31 PM
The only thing i needed to do was create a VLAN 2 on 2950 e put the interface gig 0/1 in mode trunk and interface fa0/2 on vlan 2
Now, everything is working FINE
Thank you
03-27-2008 01:11 PM
happy to help.
Please use the rate section to rate the discussion.
Franco
03-27-2008 12:27 PM
HI CISCO24x7
Now, its working FINE. Many many thanks.
See ya
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: