Solved: Re: Sub-Interface configuration.... Trunk line required?

chrisbicm · ‎06-16-2006

ASA5520: I am trying to set up a Sub-Interface for my 2 outside IPs (we have 2 pipes comming into the data center). I have just added a configuration with 2 Sub-Interfaces because I didnt have enough ports with using g0/3 for our Failover Interface (Active/Standby config). I was just wondering if I need to set up a trunk like to allow communication?? I have attached all the ports to a switch and tried pinging the Sub-Interfaces from a server on the same subnet but I cant ping the interfaces. I have not set up a trunk line and I was wondering if this would be the reason? I am using a Dell 2724 switch so maybe that is the reason that it wont work?? I could *really* use some help with this issue because I am at a loss... I have added my current config to the post so hopefully this helps to clarify my situation and setup.

icm-asa01(config)# show run

: Saved

:

ASA Version 7.0(4)

!

hostname icm-xxxxx

domain-name xxxxxxxx.com

!

interface GigabitEthernet0/0

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/0.1

vlan 10

nameif Outside1

security-level 0

ip address 66.38.x.x 255.255.x.x standby 66.38.x.x

!

interface GigabitEthernet0/0.2

vlan 20

nameif Outside2

security-level 0

ip address 64.187.x.x 255.255.x.x standby 64.187.x.x

!

interface GigabitEthernet0/1

nameif DMZ

security-level 100

ip address 10.10.x.x 255.255.x.x standby 10.10.x.x

!

interface GigabitEthernet0/2

nameif Private

security-level 40

ip address 192.168.x.x 255.255.x.x standby 192.168.x.x

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

description STATE Failover Interface

no nameif

security-level 100

ip address 192.168.x.x 255.255.x.x

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu Outside1 1500

mtu Outside2 1500

mtu DMZ 1500

mtu Private 1500

failover

failover lan unit primary

failover lan interface FoInt GigabitEthernet0/3

failover replication http

failover link FoInt GigabitEthernet0/3

failover interface ip FoInt 192.168.x.x 255.255.x.x standby 192.168.x.x

monitor-interface Outside1

monitor-interface Outside2

Thanks,

Chris

a.kiprawih · ‎06-16-2006

Hi Chris,

When you created sub-intf, it will automatically set the physical interface to use trunk with dot1Q encap. No trunk/encap command is required compared to switch. The rest need to be taken care by the switch, e.g allowing which vlan to pass through and be associated with the respective sub-interface.

For example, if your Outside1 & Outside2 is associated to Vlan 10 & Vlan 20 respectively, the switch trunk (with dot1Q encap) must allow these Vlans to pass through. Other than that, the IP subnet configured will determine how traffic from switch-side vlan reach firewall-side vlan

Rgds,

AK

View solution in original post

a.kiprawih · ‎06-16-2006

Hi Chris,

Your sub-interface config is fine, except you probably need to assign different security level between them unless if you already planned for it.

Normally, it's on the switch-side that need to be configured accordingly. The trunk link between firewall and switch uses DOT1Q encapsulation (IEEE). I am not sure whether Dell support it. Make sure the trunk allows whatever Vlan you assigned to Firewall sub-interfaces.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008054c515.html#wp1051819

To be able to ping the interface, make sure you allow firewall to allow/permit icmp to hit the interface using 'icmp' command, e.g "icmp permit any Outside2"

http://www.cisco.com/en/US/partner/products/ps6120/products_command_reference_chapter09186a00805fba52.html#wp1615091

Other than that, you need to apply normal firewall ACL, static NAT and so on.

Rgds,

AK

chrisbicm · ‎06-16-2006

AK,

I was just wondering if I actually have to set up a trunk line from the ASA?? As in do I have to make another sub-interface to act as the trunk line, or should that all be taken care of by the switch? I also looked at my switch config and it shows the option to setup VLANs and associate ports to certain VLAN numbers.... I assume that I would associate the appropriate port (the one that Outside1/2 is plugged into) with the appropriate VLANs (VLAN 10 and VLAN 20)

Thanks,

Chris

a.kiprawih · ‎06-16-2006

Hi Chris,

When you created sub-intf, it will automatically set the physical interface to use trunk with dot1Q encap. No trunk/encap command is required compared to switch. The rest need to be taken care by the switch, e.g allowing which vlan to pass through and be associated with the respective sub-interface.

For example, if your Outside1 & Outside2 is associated to Vlan 10 & Vlan 20 respectively, the switch trunk (with dot1Q encap) must allow these Vlans to pass through. Other than that, the IP subnet configured will determine how traffic from switch-side vlan reach firewall-side vlan

Rgds,

AK

chrisbicm · ‎06-16-2006

Amrih,

Another great post.... you've helped me a lot in the last month or so... thanks a lot, your the best.

Chris