How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall

One of the advantages of the Cisco ASA firewall is that you can configure multiple virtual interfaces (subinterfaces) on the same physical interface, thus extending the number of security zones (firewall “legs”) on your network. Each subinterface must belong to a different Layer2 VLAN, with a separate Layer3 subnet.

There are limits on the number of VLANs supported on each ASA model, according to the following list:

  • ASA 5505: Max 20 VLANs (with the Security Plus Software)
  • ASA 5510: Max 100 VLANs (with the Security Plus Software)
  • ASA 5520: Max 150 VLANs
  • ASA 5540: Max 200 VLANs
  • ASA 5550: Max 250 VLANs
  • ASA 5580: Max 100 VLANs

Below is a snapshot of a configuration example of VLAN subinterfaces:

interface GigabitEthernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.10
description OUTSIDE1
vlan 10
nameif OUT1
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
description OUTSIDE2
vlan 20
nameif OUT2
security-level 10
ip address 10.20.20.1 255.255.255.0
!

interface GigabitEthernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.30
description INSIDE1
vlan 30
nameif INSIDE1
security-level 90
ip address 10.30.30.1 255.255.255.0
!
interface GigabitEthernet0/1.40
description INSIDE2
vlan 40
nameif INSIDE2
security-level 80
ip address 10.40.40.1 255.255.255.0 
!

Get Free Cisco Tutorials – Sign Up Below

Fill out your e-mail address below to receive free
Cisco Configuration Examples and Tutorials
(Your email is safe with us)
My Email Address is:

Comments

  1. Hello Harris :-)

    By reading the eBook “If you configure subinterfaces (VLANs) on a physical interface, then this physical interface must be connected to a Trunk Port on a Layer 2 switch”.
    By the statement above I assume that I also need to create VLAN30 and VLAN40 database from layer 2 switch as well. Please correct me if I am wrong.
    1.Create VLAN 30 and 40 databases on the layer 2 switch for inside network and assign physical port to VLAN 30 and VLAN 40.
    2.Create Trunk Port on the layer 2 switch and connected to ASA in this case will be GigabitEthernet0/1

    Create VLAN and Trunk port on layer 2 switch.
    Switch# configure terminal
    Switch(config)# vlan 30
    Switch(config-vlan)# name INSIDE1
    Switch(config-vlan)# end

    Switch(config)# vlan 40
    Switch(config-vlan)# name INSIDE2
    Switch(config-vlan)# end

    Switch(config)# interface gigabitethernet0/1
    Switch(config-if)# switchport mode access
    Switch(config-if)# switchport access vlan 30
    Switch(config-if)# end

    Switch(config)# interface gigabitethernet0/2
    Switch(config-if)# switchport mode access
    Switch(config-if)# switchport access vlan 40
    Switch(config-vlan)# end

    Switch# configure terminal
    Switch(config)# interface gigabitethernet0/8
    Switch(config-if)# switchport
    Switch(config-if)# switchport mode trunk
    Switch(config-if)# switchport trunk encapsulation dot1

    I greatly appreciate your help.

    Vince

  2. Blog Admin says:

    Vince,

    You got everything right on the switch configuration above. You must connect ASA interface GigabitEthernet0/1 to switch port gigabitethernet0/8 (the trunk port). A Host connected to port gigabitethernet0/1 of the switch will belong to Vlan 30 and must have default gateway the IP address of the ASA subinterface (10.30.30.1). Also, a host connected to port 0/2 of the switch will belong to Vlan 40 and must have as default gateway 10.40.40.1 (ASA gig0/1.40 subinterface).

    cheers,

    Harris

  3. lefty32000 says:

    OK. I’ve got a ASA 5510. Currently, 3 interfaces – one for the outside, one for the inside and one for the dmz. The inside connects to switches which are on the inside network. Separately, there is a small 2960 8 port switch for the DMZ. It is a layer 2 switch (i cannot use ip route – i cant apparently even use encap dot1q line apparently because it only supports dot1q and not Cisco proprietery ISL so i just have to write switchport mode trunk which automatically means dot1q trunk 0 software 12.2.44.). In any case, i setup a single Vlan on the 8 port dmz switch. all 8 ports belong to the same Vlan however, 7 of them are mode access, while port 0/8 is trunk. On the other end, on the ASA, ethernet0/2 i have no shut, no speed, no nameif (nothing) and i created a subinterface ethernet0/2.4 (the vlan on the switch is also vlan 4 and its ip is 10.20.20.2 for instance while the ip of the web server is 10.20.20.3) and then as above
    nterface GigabitEthernet0/2.4
    description DMZ10
    vlan 4
    nameif DMZ1
    security-level 20
    ip address 10.20.20.1 255.255.255.0 (for ex)

    so now i can ping from the firewall the web server (10.20.20.3) and the vlan 4 ip (10.20.20.2) on the switch. OK.

    However, from the inside network where the staff are, i cannot access the web server in the DMZ. The inside network, you have 2 switches (there is a staff vlan 5 and a managament vlan 10). The second switch has a default gateway to the first switch which is layer 3 and has a ip route command that points to the inside of the firewall (the two switches are connected with a trunk which allows for vlans 5,10 to go through it).
    Do you reckon it all boils down to the access-lists in the firewall?
    I’ve actually borrowed a old cisco layer 3 switch and replaced the layer 2 switch in the DMZ, reprogrammed it, gave it a DMZ management VLAN and a DMZ vlan, added an ip route within the switch and just used the ethernet0/2 interface on the ASA normally with a ip address (no vlans) and it all worked – but i dont know why all the problems with the layer 2 switch…hope you can help out. Thanks.

  4. Blog Admin says:

    Hello lefty,

    Your initial scenario with the 8-port layer2 switch is correct. The reason you are not communicating between the inside networks and DMZ is probably because you have not configured proper NAT (if you have “nat-control” enabled) or because of access-lists or because of routing on the ASA. First, let me know if you are using NAT on your ASA (i.e do you have command “nat-control” in the configuration ?). If the command is “no nat-control” then you don’t have to configure NAT in order to communicate between inside and DMZ.

    Also, the ASA must have a static route to reach the two inside networks (vlan5 and 10). If these two networks are lets say 192.168.5.0/24 and 192.168.10.0/24, then you must configure a static route on ASA as following:

    asa(config)# route inside 192.168.5.0 255.255.255.0 192.168.1.254
    asa(config)# route inside 192.168.10.0 255.255.255.0 192.168.1.254

    (I assume that the address 192.168.1.254 is the IP address of your Layer3 switch (between switch and ASA inside) in the inside network.)

  5. how can I enable subinterfaces on the ASA 5505 basic license? i try but even when i have the option give a input error. any ideas??? thanks.

    miami-hq-fw(config)# interface ethernet 0/4.1
    ^
    ERROR: % Invalid input detected at ‘^’ marker.

  6. Blog Admin says:

    You can not have subinterfaces on ASA 5505 basic license.

  7. I see now thanks.

  8. Hi, related to 2 outside subinterfaces Gi0/0.10 and Gi0/0.20 in the example. Can we have dual connection (ISP) in the outside interface with help a switch to provide VLAN?

  9. Blog Admin says:

    Yes, you can connect the outside physical interface (Gi0/0) to a switch and then split this interface in two Vlan subinterfaces. Then you can use the two Vlans to have two connections to ISPs .

  10. Dear Admin ,
    Thanks for you .. specially for this site . at first sorry to say i can’t good English. By the way …plz could you tell me bellow Question ?
    ***Dear I have 2 ASA5510 ,my Exiting network scenario is… i have cisco2811 router . the ISP link has connect router F0/0 , and F0/1 is my local network interface that connect cisco2960 switch .
    also noted that i have 8 vlan .all are created sub-interface fa0/1.X . now i want to put ASA5510 in my network scenario. plz can u tell me . how i can do this?? . actually i had try more times to created sub-interface on ASA5510 i can , the problem was they can’t inter-vlan routing .please help me .again sorry dude for my English. if u want i will send u my network diagrams …….

  11. Blog Admin says:

    Connect the internal interface of ASA to a switch port which must be trunk port. Then configure subinterfaces on ASA physical interface. Each subinterface of ASA must be a separate layer2 vlan and a different layer3 subnet. Each subinterface of ASA will be a separate network security zone with its own security level.

  12. Hi Harris,
    I’ve setup vlan using asa5520 and switch2950g on lab.I’ve followed your book using vlan sub interface but the vlan I’ve created cannot access the internet. What i want to achieve all the vlans can access internet.Here’s my configuration.

    ASA Version 8.0(4)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 192.168.3.2 255.255.255.0
    !
    interface GigabitEthernet0/1
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/1.1
    vlan 1
    nameif inside1
    security-level 70
    ip address 192.168.2.2 255.255.255.0
    !
    interface GigabitEthernet0/1.2
    vlan 2
    nameif inside2
    security-level 80
    ip address 20.20.20.1 255.255.255.0
    !
    interface GigabitEthernet0/1.3
    vlan 3
    nameif inside3
    security-level 90
    ip address 30.30.30.1 255.255.255.0
    !
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    pager lines 24
    mtu outside 1500
    mtu inside1 1500
    mtu inside2 1500
    mtu inside3 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside1) 1 192.168.2.0 255.255.255.0
    nat (inside2) 2 20.20.20.0 255.255.255.0
    nat (inside3) 3 30.30.30.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 192.168.3.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f0093b97f26d7041a79295f23b89ec8f
    : end

  13. Blog Admin says:

    The problem is on your NAT statements. Change them to the following:

    nat (inside1) 1 192.168.2.0 255.255.255.0
    nat (inside2) 1 20.20.20.0 255.255.255.0
    nat (inside3) 1 30.30.30.0 255.255.255.0

    global (outside) 1 interface

  14. i also have a problem—unbelievable!

    cable modem–>817 router—>ASA 5510—>3560 switch–>1811w——–Laptop

    3 interfaces (eth 0/0 = outside, eth 0/1 = inside, eth 0/2 = dmz).
    I split the eth 0/2 into 3 subinterfaces using 802.1q trunking, and the switch is also a trunk (sw trunk encap dot1q, sw mode trunk).

    here is the problem: only if I have the switchport and the asa dmz interface set up for access mode, not trunk mode, will dhcp addresses be leased to my laptop.

    Once i use my dot1q trunk, no addresses at all can i receive.

    on the 1811w router, and the 3560 switch, these are running as layer 2 only (no ip routing).

    since I have, on the 3560 and the 1811w, multiple vlans, I used to have a default-gateway specified, but have removed it.

    Oh—trying to APPLY dhcpd to the dmz interface on the ASA gives me an error, since its a sub-intf.

    code is 8.0

    any advice?

  15. Blog Admin says:

    chuck,

    very confusing. Please clarify a little. Does the laptop belong in the same vlan as the DMZ or as the inside?

    what does the following mean?
    “on the 1811w router, and the 3560 switch, these are running as layer 2 only (no ip routing).”

    How can you have the 1811 router as layer2 only?

  16. Hi—I finally solved this—took the entire weekend:

    First, to answer your question, above: the 1811w router—I disabled ip routing (no ip routing), and the 3560 switch as well–same command.

    My laptop was in VLAN 600–the same vlan as the DMZ.

    To recap the topology:

    Cable Modem—-Cisco 871 router—–ASA 5510—cisco 3560

    then that 3560 goes like this:

    cisco 3560——cisco 3560
    | |
    | |
    | |
    1811w |
    cisco 2950

    The ASA 5510 has 5 zones:
    public—assigned to eth 0/0
    inside—assigned to eth 0/1
    dmz—-assigned to eth 0/2.600
    wireless—assigned to eth 0/2.700
    server—-assigned to eth 0/2.800

    The 3560 uplink to the ASA has a trunkport permitting just those 3 vlans. There is no SVI. No ip routing. No default-gateway. Just a regular layer 2 switch.

    The 3560 links to 3 other devices:
    a) wireless router –1811w
    b) 3560 switch (another one)
    c) 2950 switch

    3560————–3560 (trunk port since wireless uses different vlan from wired traffic)

    3560————–2950 (trunk port as there are 2 vlans off that intf)

    The wireless router is set up to bridge (bridge 1 route ip, etc.).

    Here were the 2 problems:
    a) If I had eth 0/2 (the dmz interface) built as a primary interface, with no trunking on the 3560 switch port it connected to, then the dmz zone would work—but not the wireless (since its in a separate vlan).

    b) If I had eth 0/2 (the dmz interface) built as a sub-interface trunk, and the 3560 switch would trunk, then I was unable to get to the Internet on the wireless router, and sometimes, and could not even get an IP address from the Firewall.

    My fix was one command, which took over 4 hours to find:

    ip dhcp smart-relay

    My outside interface on the ASA firewall has my public IP address from my ISP—I do not have ip add dhcp set-route configured.

    The 2 devices handing out DHCP addresses are the ASA 5510 and the 1811w.

    So, I have all vlans pulled up to the ASA FW interface, except the wireless–which terminates on the 1811w, and the smart-relay command is used in conjunction with the ip helper-address command on the BVI.

    Let me know what you think—–

    Thanks

  17. One other thing—-

    My FTP server cannot be reached externally, only internally. I’ve exempted this from natting when going from inside—>dmz.

    But inbound, from the internet, nothing.

    I even temporarily opened up tcp, inbound, on the Outside interface, for any any, and still, nothing!

    The 2 things I did were:
    a) created an access-list entry and applied it, inbound, on the Outside Interface and,

    b) port-forwarded

    My topology:

    871 Cisco router—–ASA 5510—DMZ ZONE (FTP SERVER)

    Going to whats my ip, I get (for example):
    10.0.0.50 (from any web browser).

    The outside address of my ASA is different. Lets say its 10.0.0.40.

    The real IP for my Linux FTP Server is 192.168.1.5.

    So my port-forwarding:

    (I put the outside address of the ASA eth 0/0 to 10.0.0.40—and not the whatsmyip address)

    static (dmz,outside) 10.0.0.40 192.168.1.5 netmask 255.255.255.255

    192.168.1.5 is the real IP address of that linux box—
    access-list from_outside_2_dmz extended permit tcp any host 10.0.0.40 eq ftp
    access-list from_outside_2_dmz extended permit tcp any host 10.0.0.40 eq ftp-data

    access-group from_outside_2_dmz in interface outside

    Please let me know if you see any issues, for why I cannot access the box from the Internet—

    Thanks again!

  18. Blog Admin says:

    Chuck,

    The public IP address of your network visible from the rest of the Internet is the “whatismyip” address (i.e 10.0.0.50 per your example). So I don’t know if the 871 is doing any NAT or something. I don’t know how your WAN addresses are assigned etc. Let me know more info

  19. Hi,

    I am locked out of the 871 since it was provided by the ISP–Optimum Online–as I have a “business” account running out of my home.

    I was given a /29 block, and was told to use 1 of the 6 on my WAN facing device (i.e. the firewall).

    btw—something that is super annoying–i have magic jack in my basement, and i had to permit udp any any from outside to dmz just to get incoming calls.

    i would rather just let a port or 2 in—not the entire range—

  20. Hi,

    I have an ASA 5510 and four 3560 switches.

    I need to create a VLAN to separate traffic for a couple stations and have created a subinterface/subnet for that on my ASA. I have also added these VLAN’s to the switches, but I’m trying to understand how the routing will actually work because 3560′s are capable of inter-vlan routing.

    Would you mind explaining a little bit what I need to accomplish on each device to segregate the traffic?

    Thanks

  21. Blog Admin says:

    WZ,

    Taking as an example my scenario above, you would connect interface Gig0/1 of ASA on a trunk port of a switch. Then configure two Layer2 vlans on the switch (vlans 30 and 40) and assign these vlans to “switchport access” ports of the switch .You must not enable Layer3 routing on the 3560 switch. All routing must be done by the ASA. Then you need to assign default gateway for the hosts connected to vlan 30 will have default gateway 10.30.30.1 and also hosts connected to vlan 40 will have default gateway 10.40.40.1. On ASA you need to create access lists and nat translations (if needed) to control traffic between these two vlans.

  22. how can I enable subinterfaces on the ASA 5510 basic license? if yes, how can i process to do this?

  23. Blog Admin says:

    David,

    Yes, you can enable up to 50 vlans (subinterfaces) on asa5510 basic license. See the following post how to do this:

    http://www.networkstraining.com/how-to-configure-vlan-subinterfaces-cisco-asa-5500-firewall/

  24. Hi,
    Many thanks for this fantastic article I have found almost everything I wanted but I still have a quick question.
    In my case, I have an ASA 5510 and my interface “Outside” connected to my ISP for Internet. The subnet give is a 1.1.1.0/28 and I have requested another subnet 2.2.2.0/28 and after reading your post, I have decided to create 2 sub interfaces but the switch I have is a basic one “Dell PowerConnect 2608″ which is not manageable and where my ASA physical interface will be plugged. Do you think it will work correctly knowing that each sub interface is in somehow a VLAN?
    More over, should I add a route like:
    route Interface-Outside2 2.2.2.0 255.255.255.240 2.2.2.1 1
    (where 2.2.2.1 is the IP used on the ISP router as a secondary subnet)
    In advance many thanks for your reply.
    Kind Regards,
    Seb

  25. I have CIsco ASA in my network, which i configure int e0 for outside, int e1 for inside and e2 for DMZ.
    The inside user can access the internrt, also the dmz, but the internal network can not access the DMZ.
    Inside ip 192.168.10.0, Dmz ip 10.10.2.0/24.
    I configure nat for global addrss on dmz.
    global (outside) 1 interface
    global (dmz) 1 10.10.2.10-10.10.2.30 255.255.255.0
    nat (inside) 1 192.168.10.0 255.255.255.0
    nat (dmz) 1 10.10.2.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 172.16.30.2 1
    Any error on this config

  26. Blog Admin says:

    Segun,

    I suggest you to configure the interface on DMZ to perform PAT for inside users going to DMZ,

    global (dmz) 1 interface

    Try the above and let me know

  27. Blog Admin says:

    Seb,

    As I understand you will have two different public IP ranges on the outside of the ASA? If this is correct, then you don’t need to create another subinterface on the outside. Just leave the outside at subnet 1.1.1.0/28 and the ISP can route the new subnet 2.2.2.0 towards the outside ASA interface. You don’t have to create another interface on ASA.

  28. Thanks, is working now.

  29. Thanks for your reply.
    I have asked the ISP to route the traffic to my current outside subnet.
    So as soon as it is done on the ISP equipment I should be able to use this new subnet and NAT IPs to internal DMZ address (for exemple)? No, need to put a route or something?
    Thanks again for your help
    Seb

  30. Actually the ISP has updated their equipment and I have been able to test. So nothing had to be done on the ASA as you have said.
    Many thanks for your reply.
    Kind Regards,
    Seb

  31. Blog Admin says:

    Seb,

    As long as the new subnet is routed from the ISP towards the outside interface of ASA, you can create “static NAT” to translate and map the public IP addresses of the new subnet to internal hosts. Then you need to allow ports etc on the access-list which is applied to the outside of ASA.

  32. I want to Power up VPN on the Cisco ASA 5520, but the ASA is not directly connected to the ISP. I have Cisco 2800 which is connected to the ISP.
    ISP1/ISP2====CISCO Router=====CISCO ASA====LAN. On the other branch i have the same topology.
    Can i still power up VPN with this topology.

  33. Blog Admin says:

    Segun,

    Do you have a private IP address on the outside interface of ASA? If this is the case, then you need to configure static NAT on the 2800 router which will be translating the router’s outside public IP to the ASA outside public IP. With that you can create VPN on the ASA using the public IP of the router

  34. No,the public IP address is on the router interface.

  35. I have a Cisco 5505 with a security plus license and but I can’t seem to create sub interfaces on it.

    ASA1(config)# sh ver

    Cisco Adaptive Security Appliance Software Version 8.2(2)4
    Device Manager Version 6.0(3)

    Compiled on Wed 03-Feb-10 14:17 by builders
    System image file is “disk0:/asa822-4-k8.bin”
    Config file at boot was “startup-config”

    ASA1 up 1 day 18 hours

    Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0×0)
    Boot microcode : CN1000-MC-BOOT-2.00
    SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
    0: Int: Internal-Data0/0 : address is d0d0.fd30.5df5, irq 11
    1: Ext: Ethernet0/0 : address is d0d0.fd30.5ded, irq 255
    2: Ext: Ethernet0/1 : address is d0d0.fd30.5dee, irq 255
    3: Ext: Ethernet0/2 : address is d0d0.fd30.5def, irq 255
    4: Ext: Ethernet0/3 : address is d0d0.fd30.5df0, irq 255
    5: Ext: Ethernet0/4 : address is d0d0.fd30.5df1, irq 255
    6: Ext: Ethernet0/5 : address is d0d0.fd30.5df2, irq 255
    7: Ext: Ethernet0/6 : address is d0d0.fd30.5df3, irq 255
    8: Ext: Ethernet0/7 : address is d0d0.fd30.5df4, irq 255
    9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
    10: Int: Not used : irq 255
    11: Int: Not used : irq 255

    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 20, DMZ Unrestricted
    Inside Hosts : 50
    Failover : Active/Standby
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    SSL VPN Peers : 2
    Total VPN Peers : 25
    Dual ISPs : Enabled
    VLAN Trunk Ports : 8
    Shared License : Disabled
    AnyConnect for Mobile : Disabled
    AnyConnect for Cisco VPN Phone : Disabled
    AnyConnect Essentials : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Phone Proxy Sessions : 2
    Total UC Proxy Sessions : 2
    Botnet Traffic Filter : Disabled

    This platform has an ASA 5505 Security Plus license.
    This is what I get when trying to add a subinterface

    ASA1(config)# int e0/2.120
    ^
    ERROR: % Invalid input detected at ‘^’ marker.

    Any suggestions would be helpful

  36. Blog Admin says:

    Edwin,

    One of the differences between the 5505 model and all the rest of the models is that you can’t configure subinterfaces on the physical ports. The physical ports of the 5505 are just like the ports of a Layer2 switch. You need to assign each port into a vlan and then create an “interface vlan xx” inside which you configure the interface parameters (IP address, security level etc).

    Example:

    interface Ethernet 0/0
    switchport access vlan 2
    no shut

    interface vlan2
    nameif outside
    no shutdown
    security-level 0
    ip address 1.1.1.1 255.255.255.0

  37. I have Cisco ASA 5520, which i configure VLANS on, each
    VLAN network can access the INTERNET but there no communication between the VLAN
    i.e VLAN 10 host cannot ping VLAN 20 host
    Here are my config for the ASA and the switch

    same-security-traffic permit intra-interface
    same-security-traffic permit inter-interface
    !
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address 41.100.100.2 255.255.255.248
    !
    interface Ethernet0/1
    nameif Inside
    security-level 100
    ip address 192.168.0.1 255.255.255.240
    !
    interface Ethernet0/1.10
    nameif Basement
    security-level 100
    ip address 192.168.1.1 255.255.255.250
    !
    interface Ethernet0/1.20
    nameif Groundfloor
    security-level 100
    ip address 192.168.2.1 255.255.255.250
    !
    interface Ethernet0/1.30
    nameif Firstfloor
    security-level 100
    ip address 192.168.3.1 255.255.255.250
    !
    interface Ethernet 0/1.40
    nameif Secondfloor
    security-level 100
    ip address 192.168.4.1 255.255.255.250

    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    !
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.240
    nat (Basement) 1 192.168.1.0 255.255.255.0
    nat (Groundfloor) 1 192.168.2.0 255.255.255.0
    nat (Firstfloor) 1 192.168.3.0 255.255.255.0
    nat (Secondfloor) 1 192.168.4.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 41.100.100.1

    SWITCH

    Hostname BASEMENT

    Int Vlan 1
    ip addr 192.168.0.2 255.255.255.240
    no shut

    int f0/1
    switchport access vlan 10
    Switchport mode access
    Spanning-tree Portfast

    int f0/2
    switchport access vlan 10
    Switchport mode access
    Spanning-tree Portfast

    Hostname Groundfloor

    Int Vlan 1
    ip addr 192.168.0.3 255.255.255.240
    no shut

    int f0/1
    switchport access vlan 20
    Switchport mode access
    Spanning-tree Portfast

    int f0/2
    switchport access vlan 20
    Switchport mode access
    Spanning-tree Portfast

  38. Blog Admin says:

    Hello,

    Each physical port of ASA which has subinterfaces configured MUST be connected to a trunk port on the switch. Also, on each subinterface of the ASA you must configure a VLAN number. See my example above to understand what I mean.

  39. Hello all very nice chance to find this blog

    i have problem with my network

    i configure my core as gateway and make default route cz before my gateway is the ASA 5110, now i add new subnet (192.168.5.0) and my old subnet (192.168.1.0) , the problem when i connect my self to the new subenet i cannot ping the old one (192.168.1.0) but when im in the old subnet i can bing the new one (192.168.5.0)

    the DNS server in in the old subnet 192.168.1.2

    the the route table in the ASA:

    C 213.165.40.12 255.255.255.252 is directly connected, outside
    C 172.16.1.0 255.255.255.0 is directly connected, DMZ
    C 192.168.200.0 255.255.255.0 is directly connected, inside
    S 192.168.5.0 255.255.255.0 [1/0] via 192.168.200.2, inside
    S 192.168.1.0 255.255.255.0 [1/0] via 192.168.200.2, inside
    S* 0.0.0.0 0.0.0.0 [1/0] via 213.165.40.13, outside

    i make two vlan in the core, vlan 5 & 200

    CORE show run :

    AMCO-2D-CORE#show run
    Building configuration…

    Current configuration : 1417 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname AMCO-2D-CORE
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$tMgp$99BNxNhY8WHf.8oMeATdm/
    !
    username amco privilege 15 secret 5 $1$3/0K$a.o2Hm6e6PUX.rZ4oHvY9.
    no aaa new-model
    switch 1 provision ws-c3750g-12s
    system mtu routing 1500
    ip subnet-zero
    ip routing
    !
    !

    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    !
    !
    interface GigabitEthernet1/0/1
    !
    interface GigabitEthernet1/0/2
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface GigabitEthernet1/0/3
    !
    interface GigabitEthernet1/0/4
    !
    interface GigabitEthernet1/0/5
    switchport trunk encapsulation dot1q
    switchport mode trunk

    !
    interface Vlan1
    ip address 192.168.1.11 255.255.255.0
    !
    interface Vlan5
    ip address 192.168.5.11 255.255.255.0
    !
    interface Vlan200
    ip address 192.168.200.2 255.255.255.0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.200.1
    ip http server
    !
    !
    control-plane
    !
    !
    line con 0
    line vty 0 4
    login local
    line vty 5 15
    login local
    !
    end

    ASA show run :

    Amco-ASA# show run
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname Amco-ASA
    domain-name amco.com
    enable password t0e3.QfQxeDdLxkw encrypted
    passwd JSI3.TL9MINmP28U encrypted
    names
    !
    interface Ethernet0/0
    description Polarisnet Internet Link
    nameif outside
    security-level 0
    ip address 213.xxx.xxx.xxx 255.255.255.252
    !
    interface Ethernet0/1
    description Mobily Internet Link
    shutdown
    nameif outside1
    security-level 0
    ip address 86.xxx.xxx.xxx 255.255.255.252
    !
    interface Ethernet0/2
    description DMZ Server connected
    nameif DMZ
    security-level 50
    ip address 172.16.1.1 255.255.255.0
    !
    interface Ethernet0/3
    description Lan Network Connected
    nameif inside
    security-level 100
    ip address 192.168.200.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    no ip address
    management-only
    !
    regex domainlist3 “\.youtube\.com”
    regex domainlist4 “\.facebook\.com”
    regex block1 “facebook.com”
    regex block2 “\.facebook\.com”
    ftp mode passive
    dns server-group DefaultDNS
    domain-name amco.com
    access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list dmz-no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list out-to-in extended permit tcp any host 213.165.40.19 eq 3389
    access-list out-to-in extended permit tcp any host 213.165.40.17 eq www
    access-list out-to-in extended permit tcp any host 213.165.40.18 eq www
    access-list out-to-in extended permit tcp any interface outside range h323 3230
    access-list out-to-in extended permit tcp any interface outside eq 3243
    access-list out-to-in extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list out-to-in extended permit icmp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list dmz-to-in extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list OUTSIDE-IN extended permit tcp any interface outside range 3230 3277
    access-list OUTSIDE-IN extended permit udp any interface outside range 3230 3277
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu outside1 1500
    mtu DMZ 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (DMZ) 0 access-list dmz-no-nat
    nat (DMZ) 1 172.16.1.0 255.255.255.0
    nat (inside) 0 access-list lan-no-nat
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) tcp interface h323 192.168.1.40 h323 netmask 255.255.255.255
    static (inside,outside) tcp interface 3230 192.168.1.40 3230 netmask 255.255.255.255
    static (inside,outside) tcp interface 3243 192.168.1.40 3243 netmask 255.255.255.255
    static (inside,outside) udp interface 3230 192.168.1.40 3230 netmask 255.255.255.255
    static (inside,outside) udp interface 3277 192.168.1.40 3277 netmask 255.255.255.255
    static (inside,outside) xxx.xxx.xxx.17 192.168.1.4 netmask 255.255.255.255
    static (inside,outside) xxx.xxx.xxx.18 192.168.1.16 netmask 255.255.255.255
    static (DMZ,outside) xxx.xxx.xxx.19 172.16.1.3 netmask 255.255.255.255
    access-group out-to-in in interface outside
    access-group dmz-to-in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 213.165.40.13 1
    route inside 192.168.1.0 255.255.255.0 192.168.200.2 1
    route inside 192.168.5.0 255.255.255.0 192.168.200.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 0.0.0.0 0.0.0.0 outside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd dns 213.xxx.xxx.134
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username amco password IViWOVvkDAu8QhFC encrypted privilege 15
    username nasa password IqBVv2.6j.KCDncy encrypted privilege 15
    !
    class-map type regex match-any DomainLogList
    match regex domainlist4
    class-map type regex match-any DomainBlockList
    match regex domainlist3
    match regex domainlist4
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map type inspect http match-all LogDomainsClass
    match request header host regex class DomainLogList
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map type inspect http http_inspection_policy
    parameters
    class BlockDomainsClass
    reset log
    class LogDomainsClass
    log
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect http http_inspection_policy
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:7ded5bc8248b47cebe59c3646f329c58
    : end

    —————————–

    Amco-ASA# show run | include route
    route outside 0.0.0.0 0.0.0.0 213.165.40.13 1
    route inside 192.168.1.0 255.255.255.0 192.168.200.2 1
    route inside 192.168.5.0 255.255.255.0 192.168.200.2 1

  40. Hi, I have a couple of questions. I’m fairly new to the whole networking world, and recently was asked by my IT Director to set up a VLan for the wireless in the front office. I love this blog and read every post, which were very informative to say the least.

    Now the network topology I’m working with is 2911 Router – ASA5520 – 2811 – GS748TP (PoE Switch) – GS748TP (PoE Switch) – WAP200.

    I set up the VLan sub-interface on the 5520 as such;

    Interface GigabitEthernet0/2.10 “OUT1″, is up, line protocol is up
    Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
    VLAN identifier 10
    Description: OUTSIDE2
    MAC address 6400:f127:ce04, MTU 1500
    IP address 10.10.10.1, subnet mask 255.255.255.0

    I’m sure I can create the sub-interfaces on the switches, that part seems like the easiest. Now here’s where the questions start.

    Which switch do I create the sub-interface on, both of them or just the one with the wireless AP on it? The switch with the AP on it is daisy chained by Ethernet to the one underneath, which is connected to the 2811 in the server room by fiber. So, do I have to do anything special, like Tag the ports that have the VLans on them, or leave them UnTagged? Do I have to create an ACL for the ASA to allow traffic to and from the AP to access the Internet, and only the Internet? What would the ACL be? Yes I’m that new to this lol If I create the Trunk port on the 2811 that’s attached to the ASA, is it going to throw off anything on the network? Or, as long as the hosts on the VLan use the 10.10.10.1 gateway, traffic will just pass through that interface on the ASA? Any help you can give would be greatly appreciated. Thanks!

  41. *Correction*

    The firewall comes before the Router.
    And the router has g0/0 as 192.168.3.1 and g0/1 as 10.0.0.1, g0/3 is unassigned. g0/1 on the ASA is unassigned also. Anything to make this easier would be great.

  42. Blog Admin says:

    Jamie,

    This is a whole network design which obviously is not possible to explain fully in this comment section here. In general though you need to do the following:

    • Connect the WAP200 on an “access port” of the GS748TP switch tagged as vlan10
    • The two switches GS748TP must be connected with a trunk port between them. Vlan10 must be created as Layer2 vlan on both of these switches.
    • Is the 2811 a Cisco router? If yes, you won’t be able to transfer vlan10 all the way to the ASA. You have a fundamental network problem here.
    • Assuming you could pass vlan 10 all the way to the ASA, then you would need to create a dynamic NAT for network 10.10.10.0 to access the internet. Also you would need an ACL as inbound to “OUT1″ zone to allow access of 10.10.10.0 to internet and possibly restrict access to other internal networks.

    Harris

Speak Your Mind

*