cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8575
Views
0
Helpful
3
Replies

Using Bridge-Groups on ASA 5506-X

Dean Romanelli
Level 4
Level 4

Hi All,

Trying to carve out a DMZ zone on my 5506 without buying a switch (budget freeze).  If I use bridge-group in the following configuration, does this effectively allow all of the devices I plug into the bridge-group assigned ports to be on the same subnet?

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif DMZ_1
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif DMZ_2
security-level 50
!
interface GigabitEthernet1/5
bridge-group 1
nameif DMZ_3
security-level 50
!
interface GigabitEthernet1/6
bridge-group 1
nameif DMZ_4
security-level 50
!
interface GigabitEthernet1/7
bridge-group 1
nameif DMZ_5
security-level 50
!
interface GigabitEthernet1/8
bridge-group 1
nameif DMZ_6
security-level 50
!
interface BVI1
nameif DMZ
security-level 50
ip address 192.168.99.1 255.255.255.0

3 Replies 3

Ben Walters
Level 3
Level 3

Another method would be to use a VLAN interface as the gateway and just set any of the ports you want in the DMZ as access ports on that VLAN. It makes the config a little easier.

 

!

interface VLAN 99
nameif DMZ
security-level 50
ip address 192.168.99.1 255.255.255.0

!

 interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface range GigabitEthernet1/3-8
switchport access vlan 99
!

Hi Ben,

 

I believe you are referencing a 5505.  When I try to create a vlan interface on the 5506, there is no option:

FW171Chennai-FLC5506# config t
FW171Chennai-FLC5506(config)# inter ?

configure mode commands/options:
GigabitEthernet GigabitEthernet IEEE 802.3z
Management Management interface
Port-channel Ethernet Channel of interfaces
Redundant Redundant Interface
vni VNI Interface
<cr>

 

Ben Walters
Level 3
Level 3

Ah yes, you are correct, no more VLAN interfaces on the 5506.

 

Your original bridge group config will accomplish the same thing. All ports in the bridge group will be on the same subnet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: