Solved: Vlan on asa-5585

suthomas1 · ‎07-09-2013

Hi,

Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.

The asa in this case is an interface for subsidary users to connect into this new network.

We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.

eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.

How do we achieve this?

Appreciate all help on this.

Jouni Forss · ‎07-09-2013

Hi,

You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.

The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?

In Single Context the configuration would be something like this

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

vlan 100

nameif LAN

security-level 100

ip add 10.10.10.1 255.255.255.0

interface GigabitEthernet0/0.200

vlan 200

nameif DMZ

security-level 50

ip add 192.168.10.1 255.255.255.0

If you are running Multiple Context mode the configuration could be something like this

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

description LAN

vlan 100

interface GigabitEthernet0/0.200

description DMZ

vlan 200

context EXAMPLE-CONTEXT

allocate-interface GigabitEthernet0/0.100

allocate-interface GigabitEthernet0/0.200

config-url disk0:/EXAMPLE-CONTEXT.cfg

Or something along these lines

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

Jouni Forss · ‎07-09-2013

Hi,

You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.

The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?

In Single Context the configuration would be something like this

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

vlan 100

nameif LAN

security-level 100

ip add 10.10.10.1 255.255.255.0

interface GigabitEthernet0/0.200

vlan 200

nameif DMZ

security-level 50

ip add 192.168.10.1 255.255.255.0

If you are running Multiple Context mode the configuration could be something like this

interface GigabitEthernet0/0

description TRUNK

interface GigabitEthernet0/0.100

description LAN

vlan 100

interface GigabitEthernet0/0.200

description DMZ

vlan 200

context EXAMPLE-CONTEXT

allocate-interface GigabitEthernet0/0.100

allocate-interface GigabitEthernet0/0.200

config-url disk0:/EXAMPLE-CONTEXT.cfg

Or something along these lines

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

suthomas1 · ‎07-09-2013

Firewall will be in single context-normal firewall.

Is there any other way to create this vlan on the firewall apart from the trunk interface method?

I essentially want the servers default gateway to be this firewall.

is it possible that i assign this vlan ip address on one of the firewall interfaces & do it that way.

Appreciate all help.

Jouni Forss · ‎07-09-2013

Hi,

The only way to do Vlan configurations on the ASA5585-X is to configure Trunk interface. The only ASA model that directly supports Vlan interfaces is the ASA5505 model which is the lowest end ASA model.

Naturally you can also take a single physical interface and configure it as usual and connect it to a switch port which is configured as Access port for the Vlan to which you want that ASA interface to connect to.

- Jouni