One of the advantages of the Cisco ASA firewall is that you can configure multiple virtual interfaces (subinterfaces) on the same physical interface, thus extending the number of security zones (firewall “legs”) on your network.
Each subinterface must belong to a different Layer2 VLAN, with a separate Layer3 subnet.
There are limits on the number of VLANs supported on each ASA model, according to the following list:
- ASA 5505: Max 20 VLANs (with the Security Plus Software)
- ASA 5510: Max 100 VLANs (with the Security Plus Software)
- ASA 5520: Max 150 VLANs
- ASA 5540: Max 200 VLANs
- ASA 5550: Max 250 VLANs
- ASA 5580: Max 100 VLANs
Below is a snapshot of a configuration example of VLAN subinterfaces:
no ip address
ip address 10.10.10.1 255.255.255.0
ip address 10.20.20.1 255.255.255.0
no ip address
ip address 10.30.30.1 255.255.255.0
ip address 10.40.40.1 255.255.255.0
As you can see from the configuration above, we are using two of the physical interfaces (GigabitEthernet0/0 and GigabitEthernet0/1) to create total of four different network segments (security zones).
Each Vlan is also a different Layer 3 subnet and also a separate security zone with its own security-level.
How to actually implement the above in the network
In order to implement the concept of Vlans and subinterfaces in a network, you must connect each physical interface of the ASA to a trunk port on a switch which must support 802.1q trunking.
The same Layer2 Vlan numbers which are configured on the firewall appliance (in our example the configured VLANs are 10,20,30,40) must also be created as Layer2 Vlans on the switch.
Then you must configure access ports on the switch belonging to the above Vlans accordingly in order to connect hosts to the access ports.
Communication between subinterfaces
Each subinterface is a different security zone with a different security-level. Therefore the communication between different subinterfaces is governed by the same rules as physical interfaces.
That is, higher security levels can communicate with lower security levels but, by default, lower security levels can’t communicate with higher security levels unless you configure NAT and Access Control List to allow traffic.