Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

multinetting on asa

does asa supports multinetting?

thnaks

12 REPLIES

Re: multinetting on asa

What's multinetting?

New Member

Re: multinetting on asa

sorry for late reply..the CSS11500 supports firewall load balancing FWLB and in one of the mode, it seems like the firewall should support multinetting.(multiple ip address)

New Member

Re: multinetting on asa

Multinetting?

Sounds like you might be talking about ...

- VLSM variable-length subnet masking

- Classless Inter-Domain Routing (CIDR)

- routing prefix aggregation (also known as "supernetting" or "route summarization")

http://en.wikipedia.org/wiki/VLSM

Green

Re: multinetting on asa

Re: multinetting on asa

Geez Adam I hope you knew that off the top of your head :-)

Celso, I have never tried it, but I'm pretty sure you can not assign multiple IP's to a single interface.

Green

Re: multinetting on asa

Haha, google is my friend.

Re: multinetting on asa

This is correct, however, the only way I see this possible looking Adam's link is if you were to used 802.1q and subinterfaces in ASA 7.x each sub with same security level.

Rgds

Jorge

Re: multinetting on asa

OK, but what about routing? How can you control which interface the traffic leaves on? Assuming you care about that.

Re: multinetting on asa

What do you mean by routing? you can route between same security interfaces without issues, subinterfaces are routed interfaces are they not.. perhaps I don't understand you when you said " what about routing" ?

Rgds

Jorge

New Member

Re: multinetting on asa

check this link on page 107

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/c

ss11500series/v7.40/configuration/security/guide/Security.pdf

New Member

Re: multinetting on asa

Ahh ... yes, use multiple VLAN's to segment up a single interface. We have several ASA 5520's running that configuration.

Sample of such: Notice that you can assign different Security levels.

interface GigabitEthernet0/2

speed 1000

duplex full

nameif SUB-DMZ

security-level 60

no ip address

!

interface GigabitEthernet0/2.2114

description Citrix

vlan 2114

nameif SUB_Citrix

security-level 75

ip address 172.17.122.x 255.255.255.x

!

interface GigabitEthernet0/2.2126

description Secure Email Sub DMZ

vlan 2126

nameif SUB_SEC_EMAIL

security-level 75

ip address 172.17.123.x 255.255.255.x

Re: multinetting on asa

Marc, using your config and Adam's example link the scenario of multiple IPs per interface could be accomplished this way.

interface GigabitEthernet0/2

speed 1000

duplex full

nameif NET

security-level 75

no ip address

!

interface GigabitEthernet0/2.183

description Network 183.55.2.0

vlan 183

nameif NET183

security-level 75

ip address 183.55.2.77 255.255.255.0

!

interface GigabitEthernet0/2.204

description Network 204.238.7.0

vlan 204

nameif NET204

security-level 75

ip address 204.238.7.22 255.255.255.0

interface GigabitEthernet0/2.88

description Network 88.127.6.0

vlan 88

nameif NET88

security-level 75

ip address 88.127.6.209 255.255.255.0

use same-security-traffic permit inter-interface command to pass traffic between these nets without the use of ACLs.

464
Views
10
Helpful
12
Replies