06-16-2006 04:24 AM - edited 03-09-2019 03:16 PM
ASA5520: I am trying to set up a Sub-Interface for my 2 outside IPs (we have 2 pipes comming into the data center). I have just added a configuration with 2 Sub-Interfaces because I didnt have enough ports with using g0/3 for our Failover Interface (Active/Standby config). I was just wondering if I need to set up a trunk like to allow communication?? I have attached all the ports to a switch and tried pinging the Sub-Interfaces from a server on the same subnet but I cant ping the interfaces. I have not set up a trunk line and I was wondering if this would be the reason? I am using a Dell 2724 switch so maybe that is the reason that it wont work?? I could *really* use some help with this issue because I am at a loss... I have added my current config to the post so hopefully this helps to clarify my situation and setup.
icm-asa01(config)# show run
: Saved
:
ASA Version 7.0(4)
!
hostname icm-xxxxx
domain-name xxxxxxxx.com
!
interface GigabitEthernet0/0
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.1
vlan 10
nameif Outside1
security-level 0
ip address 66.38.x.x 255.255.x.x standby 66.38.x.x
!
interface GigabitEthernet0/0.2
vlan 20
nameif Outside2
security-level 0
ip address 64.187.x.x 255.255.x.x standby 64.187.x.x
!
interface GigabitEthernet0/1
nameif DMZ
security-level 100
ip address 10.10.x.x 255.255.x.x standby 10.10.x.x
!
interface GigabitEthernet0/2
nameif Private
security-level 40
ip address 192.168.x.x 255.255.x.x standby 192.168.x.x
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
description STATE Failover Interface
no nameif
security-level 100
ip address 192.168.x.x 255.255.x.x
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu Outside1 1500
mtu Outside2 1500
mtu DMZ 1500
mtu Private 1500
failover
failover lan unit primary
failover lan interface FoInt GigabitEthernet0/3
failover replication http
failover link FoInt GigabitEthernet0/3
failover interface ip FoInt 192.168.x.x 255.255.x.x standby 192.168.x.x
monitor-interface Outside1
monitor-interface Outside2
Thanks,
Chris
Solved! Go to Solution.
06-16-2006 07:34 AM
Hi Chris,
When you created sub-intf, it will automatically set the physical interface to use trunk with dot1Q encap. No trunk/encap command is required compared to switch. The rest need to be taken care by the switch, e.g allowing which vlan to pass through and be associated with the respective sub-interface.
For example, if your Outside1 & Outside2 is associated to Vlan 10 & Vlan 20 respectively, the switch trunk (with dot1Q encap) must allow these Vlans to pass through. Other than that, the IP subnet configured will determine how traffic from switch-side vlan reach firewall-side vlan
Rgds,
AK
06-16-2006 06:27 AM
Hi Chris,
Your sub-interface config is fine, except you probably need to assign different security level between them unless if you already planned for it.
Normally, it's on the switch-side that need to be configured accordingly. The trunk link between firewall and switch uses DOT1Q encapsulation (IEEE). I am not sure whether Dell support it. Make sure the trunk allows whatever Vlan you assigned to Firewall sub-interfaces.
To be able to ping the interface, make sure you allow firewall to allow/permit icmp to hit the interface using 'icmp' command, e.g "icmp permit any Outside2"
Other than that, you need to apply normal firewall ACL, static NAT and so on.
Rgds,
AK
06-16-2006 07:15 AM
AK,
I was just wondering if I actually have to set up a trunk line from the ASA?? As in do I have to make another sub-interface to act as the trunk line, or should that all be taken care of by the switch? I also looked at my switch config and it shows the option to setup VLANs and associate ports to certain VLAN numbers.... I assume that I would associate the appropriate port (the one that Outside1/2 is plugged into) with the appropriate VLANs (VLAN 10 and VLAN 20)
Thanks,
Chris
06-16-2006 07:34 AM
Hi Chris,
When you created sub-intf, it will automatically set the physical interface to use trunk with dot1Q encap. No trunk/encap command is required compared to switch. The rest need to be taken care by the switch, e.g allowing which vlan to pass through and be associated with the respective sub-interface.
For example, if your Outside1 & Outside2 is associated to Vlan 10 & Vlan 20 respectively, the switch trunk (with dot1Q encap) must allow these Vlans to pass through. Other than that, the IP subnet configured will determine how traffic from switch-side vlan reach firewall-side vlan
Rgds,
AK
06-16-2006 07:50 AM
Amrih,
Another great post.... you've helped me a lot in the last month or so... thanks a lot, your the best.
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: