One of the advantages of the Cisco ASA firewall is that you can configure multiple virtual interfaces (subinterfaces) on the same physical interface, thus extending the number of security zones (firewall “legs”) on your network. Each subinterface must belong to a different Layer2 VLAN, with a separate Layer3 subnet.
There are limits on the number of VLANs supported on each ASA model, according to the following list:
- ASA 5505: Max 20 VLANs (with the Security Plus Software)
- ASA 5510: Max 100 VLANs (with the Security Plus Software)
- ASA 5520: Max 150 VLANs
- ASA 5540: Max 200 VLANs
- ASA 5550: Max 250 VLANs
- ASA 5580: Max 100 VLANs
Below is a snapshot of a configuration example of VLAN subinterfaces:
interface GigabitEthernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.10
description OUTSIDE1
vlan 10
nameif OUT1
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
description OUTSIDE2
vlan 20
nameif OUT2
security-level 10
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.30
description INSIDE1
vlan 30
nameif INSIDE1
security-level 90
ip address 10.30.30.1 255.255.255.0
!
interface GigabitEthernet0/1.40
description INSIDE2
vlan 40
nameif INSIDE2
security-level 80
ip address 10.40.40.1 255.255.255.0
!
Related posts:
- How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial
- How to Configure Cisco VTP – VLAN Trunk Protocol
- Cisco ASA Virtual Firewall Configuration
- Cisco ASA Active/Active Failover Configuration
- Cisco ASA Firewall with PPPoE
- Cisco ASA 5500 new software 8.2 released
- Cisco ASA 5500 Dual ISP Connection
31 Responses to 'How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
Hello Harris
By reading the eBook “If you configure subinterfaces (VLANs) on a physical interface, then this physical interface must be connected to a Trunk Port on a Layer 2 switch”.
By the statement above I assume that I also need to create VLAN30 and VLAN40 database from layer 2 switch as well. Please correct me if I am wrong.
1.Create VLAN 30 and 40 databases on the layer 2 switch for inside network and assign physical port to VLAN 30 and VLAN 40.
2.Create Trunk Port on the layer 2 switch and connected to ASA in this case will be GigabitEthernet0/1
Create VLAN and Trunk port on layer 2 switch.
Switch# configure terminal
Switch(config)# vlan 30
Switch(config-vlan)# name INSIDE1
Switch(config-vlan)# end
Switch(config)# vlan 40
Switch(config-vlan)# name INSIDE2
Switch(config-vlan)# end
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 30
Switch(config-if)# end
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 40
Switch(config-vlan)# end
Switch# configure terminal
Switch(config)# interface gigabitethernet0/8
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1
I greatly appreciate your help.
Vince
Vince,
You got everything right on the switch configuration above. You must connect ASA interface GigabitEthernet0/1 to switch port gigabitethernet0/8 (the trunk port). A Host connected to port gigabitethernet0/1 of the switch will belong to Vlan 30 and must have default gateway the IP address of the ASA subinterface (10.30.30.1). Also, a host connected to port 0/2 of the switch will belong to Vlan 40 and must have as default gateway 10.40.40.1 (ASA gig0/1.40 subinterface).
cheers,
Harris
OK. I’ve got a ASA 5510. Currently, 3 interfaces – one for the outside, one for the inside and one for the dmz. The inside connects to switches which are on the inside network. Separately, there is a small 2960 8 port switch for the DMZ. It is a layer 2 switch (i cannot use ip route – i cant apparently even use encap dot1q line apparently because it only supports dot1q and not Cisco proprietery ISL so i just have to write switchport mode trunk which automatically means dot1q trunk 0 software 12.2.44.). In any case, i setup a single Vlan on the 8 port dmz switch. all 8 ports belong to the same Vlan however, 7 of them are mode access, while port 0/8 is trunk. On the other end, on the ASA, ethernet0/2 i have no shut, no speed, no nameif (nothing) and i created a subinterface ethernet0/2.4 (the vlan on the switch is also vlan 4 and its ip is 10.20.20.2 for instance while the ip of the web server is 10.20.20.3) and then as above
nterface GigabitEthernet0/2.4
description DMZ10
vlan 4
nameif DMZ1
security-level 20
ip address 10.20.20.1 255.255.255.0 (for ex)
so now i can ping from the firewall the web server (10.20.20.3) and the vlan 4 ip (10.20.20.2) on the switch. OK.
However, from the inside network where the staff are, i cannot access the web server in the DMZ. The inside network, you have 2 switches (there is a staff vlan 5 and a managament vlan 10). The second switch has a default gateway to the first switch which is layer 3 and has a ip route command that points to the inside of the firewall (the two switches are connected with a trunk which allows for vlans 5,10 to go through it).
Do you reckon it all boils down to the access-lists in the firewall?
I’ve actually borrowed a old cisco layer 3 switch and replaced the layer 2 switch in the DMZ, reprogrammed it, gave it a DMZ management VLAN and a DMZ vlan, added an ip route within the switch and just used the ethernet0/2 interface on the ASA normally with a ip address (no vlans) and it all worked – but i dont know why all the problems with the layer 2 switch…hope you can help out. Thanks.
Hello lefty,
Your initial scenario with the 8-port layer2 switch is correct. The reason you are not communicating between the inside networks and DMZ is probably because you have not configured proper NAT (if you have “nat-control” enabled) or because of access-lists or because of routing on the ASA. First, let me know if you are using NAT on your ASA (i.e do you have command “nat-control” in the configuration ?). If the command is “no nat-control” then you don’t have to configure NAT in order to communicate between inside and DMZ.
Also, the ASA must have a static route to reach the two inside networks (vlan5 and 10). If these two networks are lets say 192.168.5.0/24 and 192.168.10.0/24, then you must configure a static route on ASA as following:
asa(config)# route inside 192.168.5.0 255.255.255.0 192.168.1.254
asa(config)# route inside 192.168.10.0 255.255.255.0 192.168.1.254
(I assume that the address 192.168.1.254 is the IP address of your Layer3 switch (between switch and ASA inside) in the inside network.)
how can I enable subinterfaces on the ASA 5505 basic license? i try but even when i have the option give a input error. any ideas??? thanks.
miami-hq-fw(config)# interface ethernet 0/4.1
^
ERROR: % Invalid input detected at ‘^’ marker.
You can not have subinterfaces on ASA 5505 basic license.
I see now thanks.
Hi, related to 2 outside subinterfaces Gi0/0.10 and Gi0/0.20 in the example. Can we have dual connection (ISP) in the outside interface with help a switch to provide VLAN?
Yes, you can connect the outside physical interface (Gi0/0) to a switch and then split this interface in two Vlan subinterfaces. Then you can use the two Vlans to have two connections to ISPs .
Dear Admin ,
Thanks for you .. specially for this site . at first sorry to say i can’t good English. By the way …plz could you tell me bellow Question ?
***Dear I have 2 ASA5510 ,my Exiting network scenario is… i have cisco2811 router . the ISP link has connect router F0/0 , and F0/1 is my local network interface that connect cisco2960 switch .
also noted that i have 8 vlan .all are created sub-interface fa0/1.X . now i want to put ASA5510 in my network scenario. plz can u tell me . how i can do this?? . actually i had try more times to created sub-interface on ASA5510 i can , the problem was they can’t inter-vlan routing .please help me .again sorry dude for my English. if u want i will send u my network diagrams …….
Connect the internal interface of ASA to a switch port which must be trunk port. Then configure subinterfaces on ASA physical interface. Each subinterface of ASA must be a separate layer2 vlan and a different layer3 subnet. Each subinterface of ASA will be a separate network security zone with its own security level.
Hi Harris,
I’ve setup vlan using asa5520 and switch2950g on lab.I’ve followed your book using vlan sub interface but the vlan I’ve created cannot access the internet. What i want to achieve all the vlans can access internet.Here’s my configuration.
ASA Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1
vlan 1
nameif inside1
security-level 70
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet0/1.2
vlan 2
nameif inside2
security-level 80
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1.3
vlan 3
nameif inside3
security-level 90
ip address 30.30.30.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu inside3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside1) 1 192.168.2.0 255.255.255.0
nat (inside2) 2 20.20.20.0 255.255.255.0
nat (inside3) 3 30.30.30.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f0093b97f26d7041a79295f23b89ec8f
: end
The problem is on your NAT statements. Change them to the following:
nat (inside1) 1 192.168.2.0 255.255.255.0
nat (inside2) 1 20.20.20.0 255.255.255.0
nat (inside3) 1 30.30.30.0 255.255.255.0
global (outside) 1 interface
i also have a problem—unbelievable!
cable modem–>817 router—>ASA 5510—>3560 switch–>1811w——–Laptop
3 interfaces (eth 0/0 = outside, eth 0/1 = inside, eth 0/2 = dmz).
I split the eth 0/2 into 3 subinterfaces using 802.1q trunking, and the switch is also a trunk (sw trunk encap dot1q, sw mode trunk).
here is the problem: only if I have the switchport and the asa dmz interface set up for access mode, not trunk mode, will dhcp addresses be leased to my laptop.
Once i use my dot1q trunk, no addresses at all can i receive.
on the 1811w router, and the 3560 switch, these are running as layer 2 only (no ip routing).
since I have, on the 3560 and the 1811w, multiple vlans, I used to have a default-gateway specified, but have removed it.
Oh—trying to APPLY dhcpd to the dmz interface on the ASA gives me an error, since its a sub-intf.
code is 8.0
any advice?
chuck,
very confusing. Please clarify a little. Does the laptop belong in the same vlan as the DMZ or as the inside?
what does the following mean?
“on the 1811w router, and the 3560 switch, these are running as layer 2 only (no ip routing).”
How can you have the 1811 router as layer2 only?
Hi—I finally solved this—took the entire weekend:
First, to answer your question, above: the 1811w router—I disabled ip routing (no ip routing), and the 3560 switch as well–same command.
My laptop was in VLAN 600–the same vlan as the DMZ.
To recap the topology:
Cable Modem—-Cisco 871 router—–ASA 5510—cisco 3560
then that 3560 goes like this:
cisco 3560——cisco 3560
| |
| |
| |
1811w |
cisco 2950
The ASA 5510 has 5 zones:
public—assigned to eth 0/0
inside—assigned to eth 0/1
dmz—-assigned to eth 0/2.600
wireless—assigned to eth 0/2.700
server—-assigned to eth 0/2.800
The 3560 uplink to the ASA has a trunkport permitting just those 3 vlans. There is no SVI. No ip routing. No default-gateway. Just a regular layer 2 switch.
The 3560 links to 3 other devices:
a) wireless router –1811w
b) 3560 switch (another one)
c) 2950 switch
3560————–3560 (trunk port since wireless uses different vlan from wired traffic)
3560————–2950 (trunk port as there are 2 vlans off that intf)
The wireless router is set up to bridge (bridge 1 route ip, etc.).
Here were the 2 problems:
a) If I had eth 0/2 (the dmz interface) built as a primary interface, with no trunking on the 3560 switch port it connected to, then the dmz zone would work—but not the wireless (since its in a separate vlan).
b) If I had eth 0/2 (the dmz interface) built as a sub-interface trunk, and the 3560 switch would trunk, then I was unable to get to the Internet on the wireless router, and sometimes, and could not even get an IP address from the Firewall.
My fix was one command, which took over 4 hours to find:
ip dhcp smart-relay
My outside interface on the ASA firewall has my public IP address from my ISP—I do not have ip add dhcp set-route configured.
The 2 devices handing out DHCP addresses are the ASA 5510 and the 1811w.
So, I have all vlans pulled up to the ASA FW interface, except the wireless–which terminates on the 1811w, and the smart-relay command is used in conjunction with the ip helper-address command on the BVI.
Let me know what you think—–
Thanks
One other thing—-
My FTP server cannot be reached externally, only internally. I’ve exempted this from natting when going from inside—>dmz.
But inbound, from the internet, nothing.
I even temporarily opened up tcp, inbound, on the Outside interface, for any any, and still, nothing!
The 2 things I did were:
a) created an access-list entry and applied it, inbound, on the Outside Interface and,
b) port-forwarded
My topology:
871 Cisco router—–ASA 5510—DMZ ZONE (FTP SERVER)
Going to whats my ip, I get (for example):
10.0.0.50 (from any web browser).
The outside address of my ASA is different. Lets say its 10.0.0.40.
The real IP for my Linux FTP Server is 192.168.1.5.
So my port-forwarding:
(I put the outside address of the ASA eth 0/0 to 10.0.0.40—and not the whatsmyip address)
static (dmz,outside) 10.0.0.40 192.168.1.5 netmask 255.255.255.255
192.168.1.5 is the real IP address of that linux box—
access-list from_outside_2_dmz extended permit tcp any host 10.0.0.40 eq ftp
access-list from_outside_2_dmz extended permit tcp any host 10.0.0.40 eq ftp-data
access-group from_outside_2_dmz in interface outside
Please let me know if you see any issues, for why I cannot access the box from the Internet—
Thanks again!
Chuck,
The public IP address of your network visible from the rest of the Internet is the “whatismyip” address (i.e 10.0.0.50 per your example). So I don’t know if the 871 is doing any NAT or something. I don’t know how your WAN addresses are assigned etc. Let me know more info
Hi,
I am locked out of the 871 since it was provided by the ISP–Optimum Online–as I have a “business” account running out of my home.
I was given a /29 block, and was told to use 1 of the 6 on my WAN facing device (i.e. the firewall).
btw—something that is super annoying–i have magic jack in my basement, and i had to permit udp any any from outside to dmz just to get incoming calls.
i would rather just let a port or 2 in—not the entire range—
Hi,
I have an ASA 5510 and four 3560 switches.
I need to create a VLAN to separate traffic for a couple stations and have created a subinterface/subnet for that on my ASA. I have also added these VLAN’s to the switches, but I’m trying to understand how the routing will actually work because 3560′s are capable of inter-vlan routing.
Would you mind explaining a little bit what I need to accomplish on each device to segregate the traffic?
Thanks
WZ,
Taking as an example my scenario above, you would connect interface Gig0/1 of ASA on a trunk port of a switch. Then configure two Layer2 vlans on the switch (vlans 30 and 40) and assign these vlans to “switchport access” ports of the switch .You must not enable Layer3 routing on the 3560 switch. All routing must be done by the ASA. Then you need to assign default gateway for the hosts connected to vlan 30 will have default gateway 10.30.30.1 and also hosts connected to vlan 40 will have default gateway 10.40.40.1. On ASA you need to create access lists and nat translations (if needed) to control traffic between these two vlans.
how can I enable subinterfaces on the ASA 5510 basic license? if yes, how can i process to do this?
David,
Yes, you can enable up to 50 vlans (subinterfaces) on asa5510 basic license. See the following post how to do this:
http://www.networkstraining.com/how-to-configure-vlan-subinterfaces-cisco-asa-5500-firewall/
Hi,
Many thanks for this fantastic article I have found almost everything I wanted but I still have a quick question.
In my case, I have an ASA 5510 and my interface “Outside” connected to my ISP for Internet. The subnet give is a 1.1.1.0/28 and I have requested another subnet 2.2.2.0/28 and after reading your post, I have decided to create 2 sub interfaces but the switch I have is a basic one “Dell PowerConnect 2608″ which is not manageable and where my ASA physical interface will be plugged. Do you think it will work correctly knowing that each sub interface is in somehow a VLAN?
More over, should I add a route like:
route Interface-Outside2 2.2.2.0 255.255.255.240 2.2.2.1 1
(where 2.2.2.1 is the IP used on the ISP router as a secondary subnet)
In advance many thanks for your reply.
Kind Regards,
Seb
I have CIsco ASA in my network, which i configure int e0 for outside, int e1 for inside and e2 for DMZ.
The inside user can access the internrt, also the dmz, but the internal network can not access the DMZ.
Inside ip 192.168.10.0, Dmz ip 10.10.2.0/24.
I configure nat for global addrss on dmz.
global (outside) 1 interface
global (dmz) 1 10.10.2.10-10.10.2.30 255.255.255.0
nat (inside) 1 192.168.10.0 255.255.255.0
nat (dmz) 1 10.10.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.30.2 1
Any error on this config
Segun,
I suggest you to configure the interface on DMZ to perform PAT for inside users going to DMZ,
global (dmz) 1 interface
Try the above and let me know
Seb,
As I understand you will have two different public IP ranges on the outside of the ASA? If this is correct, then you don’t need to create another subinterface on the outside. Just leave the outside at subnet 1.1.1.0/28 and the ISP can route the new subnet 2.2.2.0 towards the outside ASA interface. You don’t have to create another interface on ASA.
Thanks, is working now.
Thanks for your reply.
I have asked the ISP to route the traffic to my current outside subnet.
So as soon as it is done on the ISP equipment I should be able to use this new subnet and NAT IPs to internal DMZ address (for exemple)? No, need to put a route or something?
Thanks again for your help
Seb
Actually the ISP has updated their equipment and I have been able to test. So nothing had to be done on the ASA as you have said.
Many thanks for your reply.
Kind Regards,
Seb
Seb,
As long as the new subnet is routed from the ISP towards the outside interface of ASA, you can create “static NAT” to translate and map the public IP addresses of the new subnet to internal hosts. Then you need to allow ports etc on the access-list which is applied to the outside of ASA.