12-10-2007 11:54 PM - edited 02-21-2020 01:49 AM
does asa supports multinetting?
thnaks
12-11-2007 10:13 AM
What's multinetting?
12-18-2007 06:44 AM
sorry for late reply..the CSS11500 supports firewall load balancing FWLB and in one of the mode, it seems like the firewall should support multinetting.(multiple ip address)
12-11-2007 01:12 PM
Multinetting?
Sounds like you might be talking about ...
- VLSM variable-length subnet masking
- Classless Inter-Domain Routing (CIDR)
- routing prefix aggregation (also known as "supernetting" or "route summarization")
12-11-2007 01:15 PM
He's probably talking about...
http://www.syngress.com/book_catalog/69_ipad/69_ipad_ce_01.htm#_Toc471028305
12-11-2007 01:18 PM
Geez Adam I hope you knew that off the top of your head :-)
Celso, I have never tried it, but I'm pretty sure you can not assign multiple IP's to a single interface.
12-11-2007 01:25 PM
Haha, google is my friend.
12-11-2007 01:31 PM
This is correct, however, the only way I see this possible looking Adam's link is if you were to used 802.1q and subinterfaces in ASA 7.x each sub with same security level.
Rgds
Jorge
12-11-2007 01:46 PM
OK, but what about routing? How can you control which interface the traffic leaves on? Assuming you care about that.
12-11-2007 02:22 PM
What do you mean by routing? you can route between same security interfaces without issues, subinterfaces are routed interfaces are they not.. perhaps I don't understand you when you said " what about routing" ?
Rgds
Jorge
12-18-2007 06:56 AM
check this link on page 107
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/c
ss11500series/v7.40/configuration/security/guide/Security.pdf
12-11-2007 01:42 PM
Ahh ... yes, use multiple VLAN's to segment up a single interface. We have several ASA 5520's running that configuration.
Sample of such: Notice that you can assign different Security levels.
interface GigabitEthernet0/2
speed 1000
duplex full
nameif SUB-DMZ
security-level 60
no ip address
!
interface GigabitEthernet0/2.2114
description Citrix
vlan 2114
nameif SUB_Citrix
security-level 75
ip address 172.17.122.x 255.255.255.x
!
interface GigabitEthernet0/2.2126
description Secure Email Sub DMZ
vlan 2126
nameif SUB_SEC_EMAIL
security-level 75
ip address 172.17.123.x 255.255.255.x
12-11-2007 02:13 PM
Marc, using your config and Adam's example link the scenario of multiple IPs per interface could be accomplished this way.
interface GigabitEthernet0/2
speed 1000
duplex full
nameif NET
security-level 75
no ip address
!
interface GigabitEthernet0/2.183
description Network 183.55.2.0
vlan 183
nameif NET183
security-level 75
ip address 183.55.2.77 255.255.255.0
!
interface GigabitEthernet0/2.204
description Network 204.238.7.0
vlan 204
nameif NET204
security-level 75
ip address 204.238.7.22 255.255.255.0
interface GigabitEthernet0/2.88
description Network 88.127.6.0
vlan 88
nameif NET88
security-level 75
ip address 88.127.6.209 255.255.255.0
use same-security-traffic permit inter-interface command to pass traffic between these nets without the use of ACLs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: