How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall

Comments

1. Vince says

   June 26, 2010 at 6:08 am

   Hello Harris :-)

   By reading the eBook “If you configure subinterfaces (VLANs) on a physical interface, then this physical interface must be connected to a Trunk Port on a Layer 2 switch”.
   By the statement above I assume that I also need to create VLAN30 and VLAN40 database from layer 2 switch as well. Please correct me if I am wrong.
   1.Create VLAN 30 and 40 databases on the layer 2 switch for inside network and assign physical port to VLAN 30 and VLAN 40.
   2.Create Trunk Port on the layer 2 switch and connected to ASA in this case will be GigabitEthernet0/1

   Create VLAN and Trunk port on layer 2 switch.
   Switch# configure terminal
   Switch(config)# vlan 30
   Switch(config-vlan)# name INSIDE1
   Switch(config-vlan)# end

   Switch(config)# vlan 40
   Switch(config-vlan)# name INSIDE2
   Switch(config-vlan)# end

   Switch(config)# interface gigabitethernet0/1
   Switch(config-if)# switchport mode access
   Switch(config-if)# switchport access vlan 30
   Switch(config-if)# end

   Switch(config)# interface gigabitethernet0/2
   Switch(config-if)# switchport mode access
   Switch(config-if)# switchport access vlan 40
   Switch(config-vlan)# end

   Switch# configure terminal
   Switch(config)# interface gigabitethernet0/8
   Switch(config-if)# switchport
   Switch(config-if)# switchport mode trunk
   Switch(config-if)# switchport trunk encapsulation dot1

   I greatly appreciate your help.

   Vince

2. Blog Admin says

   June 26, 2010 at 7:52 am

   Vince,

   You got everything right on the switch configuration above. You must connect ASA interface GigabitEthernet0/1 to switch port gigabitethernet0/8 (the trunk port). A Host connected to port gigabitethernet0/1 of the switch will belong to Vlan 30 and must have default gateway the IP address of the ASA subinterface (10.30.30.1). Also, a host connected to port 0/2 of the switch will belong to Vlan 40 and must have as default gateway 10.40.40.1 (ASA gig0/1.40 subinterface).

   cheers,

   Harris

3. lefty32000 says

   July 26, 2010 at 10:14 pm

   OK. I’ve got a ASA 5510. Currently, 3 interfaces – one for the outside, one for the inside and one for the dmz. The inside connects to switches which are on the inside network. Separately, there is a small 2960 8 port switch for the DMZ. It is a layer 2 switch (i cannot use ip route – i cant apparently even use encap dot1q line apparently because it only supports dot1q and not Cisco proprietery ISL so i just have to write switchport mode trunk which automatically means dot1q trunk 0 software 12.2.44.). In any case, i setup a single Vlan on the 8 port dmz switch. all 8 ports belong to the same Vlan however, 7 of them are mode access, while port 0/8 is trunk. On the other end, on the ASA, ethernet0/2 i have no shut, no speed, no nameif (nothing) and i created a subinterface ethernet0/2.4 (the vlan on the switch is also vlan 4 and its ip is 10.20.20.2 for instance while the ip of the web server is 10.20.20.3) and then as above
   nterface GigabitEthernet0/2.4
   description DMZ10
   vlan 4
   nameif DMZ1
   security-level 20
   ip address 10.20.20.1 255.255.255.0 (for ex)

   so now i can ping from the firewall the web server (10.20.20.3) and the vlan 4 ip (10.20.20.2) on the switch. OK.

   However, from the inside network where the staff are, i cannot access the web server in the DMZ. The inside network, you have 2 switches (there is a staff vlan 5 and a managament vlan 10). The second switch has a default gateway to the first switch which is layer 3 and has a ip route command that points to the inside of the firewall (the two switches are connected with a trunk which allows for vlans 5,10 to go through it).
   Do you reckon it all boils down to the access-lists in the firewall?
   I’ve actually borrowed a old cisco layer 3 switch and replaced the layer 2 switch in the DMZ, reprogrammed it, gave it a DMZ management VLAN and a DMZ vlan, added an ip route within the switch and just used the ethernet0/2 interface on the ASA normally with a ip address (no vlans) and it all worked – but i dont know why all the problems with the layer 2 switch…hope you can help out. Thanks.

4. Blog Admin says

   July 28, 2010 at 8:17 am

   Hello lefty,

   Your initial scenario with the 8-port layer2 switch is correct. The reason you are not communicating between the inside networks and DMZ is probably because you have not configured proper NAT (if you have “nat-control” enabled) or because of access-lists or because of routing on the ASA. First, let me know if you are using NAT on your ASA (i.e do you have command “nat-control” in the configuration ?). If the command is “no nat-control” then you don’t have to configure NAT in order to communicate between inside and DMZ.

   Also, the ASA must have a static route to reach the two inside networks (vlan5 and 10). If these two networks are lets say 192.168.5.0/24 and 192.168.10.0/24, then you must configure a static route on ASA as following:

   asa(config)# route inside 192.168.5.0 255.255.255.0 192.168.1.254
   asa(config)# route inside 192.168.10.0 255.255.255.0 192.168.1.254

   (I assume that the address 192.168.1.254 is the IP address of your Layer3 switch (between switch and ASA inside) in the inside network.)

5. edgard says

   January 19, 2011 at 6:37 pm

   how can I enable subinterfaces on the ASA 5505 basic license? i try but even when i have the option give a input error. any ideas??? thanks.

   miami-hq-fw(config)# interface ethernet 0/4.1
   ^
   ERROR: % Invalid input detected at ‘^’ marker.

6. Blog Admin says

   January 19, 2011 at 7:19 pm

   You can not have subinterfaces on ASA 5505 basic license.

7. edgard says

   February 10, 2011 at 3:22 am

   I see now thanks.

8. alfha says

   April 11, 2011 at 4:30 pm

   Hi, related to 2 outside subinterfaces Gi0/0.10 and Gi0/0.20 in the example. Can we have dual connection (ISP) in the outside interface with help a switch to provide VLAN?

9. Blog Admin says

   April 12, 2011 at 6:28 am

   Yes, you can connect the outside physical interface (Gi0/0) to a switch and then split this interface in two Vlan subinterfaces. Then you can use the two Vlans to have two connections to ISPs .

10. emu says

    May 8, 2011 at 4:26 pm

    Dear Admin ,
    Thanks for you .. specially for this site . at first sorry to say i can’t good English. By the way …plz could you tell me bellow Question ?
    ***Dear I have 2 ASA5510 ,my Exiting network scenario is… i have cisco2811 router . the ISP link has connect router F0/0 , and F0/1 is my local network interface that connect cisco2960 switch .
    also noted that i have 8 vlan .all are created sub-interface fa0/1.X . now i want to put ASA5510 in my network scenario. plz can u tell me . how i can do this?? . actually i had try more times to created sub-interface on ASA5510 i can , the problem was they can’t inter-vlan routing .please help me .again sorry dude for my English. if u want i will send u my network diagrams …….

11. Blog Admin says

    May 10, 2011 at 12:48 pm

    Connect the internal interface of ASA to a switch port which must be trunk port. Then configure subinterfaces on ASA physical interface. Each subinterface of ASA must be a separate layer2 vlan and a different layer3 subnet. Each subinterface of ASA will be a separate network security zone with its own security level.

12. waple02 says

    October 4, 2011 at 11:47 am

    Hi Harris,
    I’ve setup vlan using asa5520 and switch2950g on lab.I’ve followed your book using vlan sub interface but the vlan I’ve created cannot access the internet. What i want to achieve all the vlans can access internet.Here’s my configuration.

    ASA Version 8.0(4)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 192.168.3.2 255.255.255.0
    !
    interface GigabitEthernet0/1
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/1.1
    vlan 1
    nameif inside1
    security-level 70
    ip address 192.168.2.2 255.255.255.0
    !
    interface GigabitEthernet0/1.2
    vlan 2
    nameif inside2
    security-level 80
    ip address 20.20.20.1 255.255.255.0
    !
    interface GigabitEthernet0/1.3
    vlan 3
    nameif inside3
    security-level 90
    ip address 30.30.30.1 255.255.255.0
    !
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    pager lines 24
    mtu outside 1500
    mtu inside1 1500
    mtu inside2 1500
    mtu inside3 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside1) 1 192.168.2.0 255.255.255.0
    nat (inside2) 2 20.20.20.0 255.255.255.0
    nat (inside3) 3 30.30.30.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 192.168.3.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f0093b97f26d7041a79295f23b89ec8f
    : end

13. Blog Admin says

    October 4, 2011 at 12:05 pm

    The problem is on your NAT statements. Change them to the following:

    nat (inside1) 1 192.168.2.0 255.255.255.0
    nat (inside2) 1 20.20.20.0 255.255.255.0
    nat (inside3) 1 30.30.30.0 255.255.255.0

    global (outside) 1 interface

14. chuck says

    October 14, 2011 at 8:35 pm

    i also have a problem—unbelievable!

    cable modem–>817 router—>ASA 5510—>3560 switch–>1811w——–Laptop

    3 interfaces (eth 0/0 = outside, eth 0/1 = inside, eth 0/2 = dmz).
    I split the eth 0/2 into 3 subinterfaces using 802.1q trunking, and the switch is also a trunk (sw trunk encap dot1q, sw mode trunk).

    here is the problem: only if I have the switchport and the asa dmz interface set up for access mode, not trunk mode, will dhcp addresses be leased to my laptop.

    Once i use my dot1q trunk, no addresses at all can i receive.

    on the 1811w router, and the 3560 switch, these are running as layer 2 only (no ip routing).

    since I have, on the 3560 and the 1811w, multiple vlans, I used to have a default-gateway specified, but have removed it.

    Oh—trying to APPLY dhcpd to the dmz interface on the ASA gives me an error, since its a sub-intf.

    code is 8.0

    any advice?

15. Blog Admin says

    October 17, 2011 at 7:15 am

    chuck,

    very confusing. Please clarify a little. Does the laptop belong in the same vlan as the DMZ or as the inside?

    what does the following mean?
    “on the 1811w router, and the 3560 switch, these are running as layer 2 only (no ip routing).”

    How can you have the 1811 router as layer2 only?

16. chuck says

    October 17, 2011 at 1:51 pm

    Hi—I finally solved this—took the entire weekend:

    First, to answer your question, above: the 1811w router—I disabled ip routing (no ip routing), and the 3560 switch as well–same command.

    My laptop was in VLAN 600–the same vlan as the DMZ.

    To recap the topology:

    Cable Modem—-Cisco 871 router—–ASA 5510—cisco 3560

    then that 3560 goes like this:

    cisco 3560——cisco 3560
    | |
    | |
    | |
    1811w |
    cisco 2950

    The ASA 5510 has 5 zones:
    public—assigned to eth 0/0
    inside—assigned to eth 0/1
    dmz—-assigned to eth 0/2.600
    wireless—assigned to eth 0/2.700
    server—-assigned to eth 0/2.800

    The 3560 uplink to the ASA has a trunkport permitting just those 3 vlans. There is no SVI. No ip routing. No default-gateway. Just a regular layer 2 switch.

    The 3560 links to 3 other devices:
    a) wireless router –1811w
    b) 3560 switch (another one)
    c) 2950 switch

    3560————–3560 (trunk port since wireless uses different vlan from wired traffic)

    3560————–2950 (trunk port as there are 2 vlans off that intf)

    The wireless router is set up to bridge (bridge 1 route ip, etc.).

    Here were the 2 problems:
    a) If I had eth 0/2 (the dmz interface) built as a primary interface, with no trunking on the 3560 switch port it connected to, then the dmz zone would work—but not the wireless (since its in a separate vlan).

    b) If I had eth 0/2 (the dmz interface) built as a sub-interface trunk, and the 3560 switch would trunk, then I was unable to get to the Internet on the wireless router, and sometimes, and could not even get an IP address from the Firewall.

    My fix was one command, which took over 4 hours to find:

    ip dhcp smart-relay

    My outside interface on the ASA firewall has my public IP address from my ISP—I do not have ip add dhcp set-route configured.

    The 2 devices handing out DHCP addresses are the ASA 5510 and the 1811w.

    So, I have all vlans pulled up to the ASA FW interface, except the wireless–which terminates on the 1811w, and the smart-relay command is used in conjunction with the ip helper-address command on the BVI.

    Let me know what you think—–

    Thanks

17. chuck says

    October 17, 2011 at 2:21 pm

    One other thing—-

    My FTP server cannot be reached externally, only internally. I’ve exempted this from natting when going from inside—>dmz.

    But inbound, from the internet, nothing.

    I even temporarily opened up tcp, inbound, on the Outside interface, for any any, and still, nothing!

    The 2 things I did were:
    a) created an access-list entry and applied it, inbound, on the Outside Interface and,

    b) port-forwarded

    My topology:

    871 Cisco router—–ASA 5510—DMZ ZONE (FTP SERVER)

    Going to whats my ip, I get (for example):
    10.0.0.50 (from any web browser).

    The outside address of my ASA is different. Lets say its 10.0.0.40.

    The real IP for my Linux FTP Server is 192.168.1.5.

    So my port-forwarding:

    (I put the outside address of the ASA eth 0/0 to 10.0.0.40—and not the whatsmyip address)

    static (dmz,outside) 10.0.0.40 192.168.1.5 netmask 255.255.255.255

    192.168.1.5 is the real IP address of that linux box—
    access-list from_outside_2_dmz extended permit tcp any host 10.0.0.40 eq ftp
    access-list from_outside_2_dmz extended permit tcp any host 10.0.0.40 eq ftp-data

    access-group from_outside_2_dmz in interface outside

    Please let me know if you see any issues, for why I cannot access the box from the Internet—

    Thanks again!

18. Blog Admin says

    October 17, 2011 at 5:10 pm

    Chuck,

    The public IP address of your network visible from the rest of the Internet is the “whatismyip” address (i.e 10.0.0.50 per your example). So I don’t know if the 871 is doing any NAT or something. I don’t know how your WAN addresses are assigned etc. Let me know more info

19. chuck says

    October 17, 2011 at 7:39 pm

    Hi,

    I am locked out of the 871 since it was provided by the ISP–Optimum Online–as I have a “business” account running out of my home.

    I was given a /29 block, and was told to use 1 of the 6 on my WAN facing device (i.e. the firewall).

    btw—something that is super annoying–i have magic jack in my basement, and i had to permit udp any any from outside to dmz just to get incoming calls.

    i would rather just let a port or 2 in—not the entire range—

20. WZ says

    December 23, 2011 at 3:00 pm

    Hi,

    I have an ASA 5510 and four 3560 switches.

    I need to create a VLAN to separate traffic for a couple stations and have created a subinterface/subnet for that on my ASA. I have also added these VLAN’s to the switches, but I’m trying to understand how the routing will actually work because 3560’s are capable of inter-vlan routing.

    Would you mind explaining a little bit what I need to accomplish on each device to segregate the traffic?

    Thanks

21. Blog Admin says

    December 23, 2011 at 3:49 pm

    WZ,

    Taking as an example my scenario above, you would connect interface Gig0/1 of ASA on a trunk port of a switch. Then configure two Layer2 vlans on the switch (vlans 30 and 40) and assign these vlans to “switchport access” ports of the switch .You must not enable Layer3 routing on the 3560 switch. All routing must be done by the ASA. Then you need to assign default gateway for the hosts connected to vlan 30 will have default gateway 10.30.30.1 and also hosts connected to vlan 40 will have default gateway 10.40.40.1. On ASA you need to create access lists and nat translations (if needed) to control traffic between these two vlans.

22. David says

    January 16, 2012 at 4:13 pm

    how can I enable subinterfaces on the ASA 5510 basic license? if yes, how can i process to do this?

23. Blog Admin says

    January 17, 2012 at 6:46 pm

    David,

    Yes, you can enable up to 50 vlans (subinterfaces) on asa5510 basic license. See the following post how to do this:

    https://www.networkstraining.com/how-to-configure-vlan-subinterfaces-cisco-asa-5500-firewall/

24. Seb says

    January 31, 2012 at 8:26 am

    Hi,
    Many thanks for this fantastic article I have found almost everything I wanted but I still have a quick question.
    In my case, I have an ASA 5510 and my interface “Outside” connected to my ISP for Internet. The subnet give is a 1.1.1.0/28 and I have requested another subnet 2.2.2.0/28 and after reading your post, I have decided to create 2 sub interfaces but the switch I have is a basic one “Dell PowerConnect 2608” which is not manageable and where my ASA physical interface will be plugged. Do you think it will work correctly knowing that each sub interface is in somehow a VLAN?
    More over, should I add a route like:
    route Interface-Outside2 2.2.2.0 255.255.255.240 2.2.2.1 1
    (where 2.2.2.1 is the IP used on the ISP router as a secondary subnet)
    In advance many thanks for your reply.
    Kind Regards,
    Seb

25. Segun says

    February 1, 2012 at 1:52 pm

    I have CIsco ASA in my network, which i configure int e0 for outside, int e1 for inside and e2 for DMZ.
    The inside user can access the internrt, also the dmz, but the internal network can not access the DMZ.
    Inside ip 192.168.10.0, Dmz ip 10.10.2.0/24.
    I configure nat for global addrss on dmz.
    global (outside) 1 interface
    global (dmz) 1 10.10.2.10-10.10.2.30 255.255.255.0
    nat (inside) 1 192.168.10.0 255.255.255.0
    nat (dmz) 1 10.10.2.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 172.16.30.2 1
    Any error on this config

26. Blog Admin says

    February 1, 2012 at 6:36 pm

    Segun,

    I suggest you to configure the interface on DMZ to perform PAT for inside users going to DMZ,

    global (dmz) 1 interface

    Try the above and let me know

27. Blog Admin says

    February 1, 2012 at 6:39 pm

    Seb,

    As I understand you will have two different public IP ranges on the outside of the ASA? If this is correct, then you don’t need to create another subinterface on the outside. Just leave the outside at subnet 1.1.1.0/28 and the ISP can route the new subnet 2.2.2.0 towards the outside ASA interface. You don’t have to create another interface on ASA.

28. Segun says

    February 3, 2012 at 4:50 pm

    Thanks, is working now.

29. Seb says

    February 7, 2012 at 1:24 pm

    Thanks for your reply.
    I have asked the ISP to route the traffic to my current outside subnet.
    So as soon as it is done on the ISP equipment I should be able to use this new subnet and NAT IPs to internal DMZ address (for exemple)? No, need to put a route or something?
    Thanks again for your help
    Seb

30. Seb says

    February 7, 2012 at 2:32 pm

    Actually the ISP has updated their equipment and I have been able to test. So nothing had to be done on the ASA as you have said.
    Many thanks for your reply.
    Kind Regards,
    Seb

31. Blog Admin says

    February 7, 2012 at 3:03 pm

    Seb,

    As long as the new subnet is routed from the ISP towards the outside interface of ASA, you can create “static NAT” to translate and map the public IP addresses of the new subnet to internal hosts. Then you need to allow ports etc on the access-list which is applied to the outside of ASA.

32. Segun says

    February 10, 2012 at 7:55 am

    I want to Power up VPN on the Cisco ASA 5520, but the ASA is not directly connected to the ISP. I have Cisco 2800 which is connected to the ISP.
    ISP1/ISP2====CISCO Router=====CISCO ASA====LAN. On the other branch i have the same topology.
    Can i still power up VPN with this topology.

33. Blog Admin says

    February 10, 2012 at 6:32 pm

    Segun,

    Do you have a private IP address on the outside interface of ASA? If this is the case, then you need to configure static NAT on the 2800 router which will be translating the router’s outside public IP to the ASA outside public IP. With that you can create VPN on the ASA using the public IP of the router

34. Segun says

    February 14, 2012 at 7:45 am

    No,the public IP address is on the router interface.

35. Edwin says

    July 12, 2012 at 2:17 pm

    I have a Cisco 5505 with a security plus license and but I can’t seem to create sub interfaces on it.

    ASA1(config)# sh ver

    Cisco Adaptive Security Appliance Software Version 8.2(2)4
    Device Manager Version 6.0(3)

    Compiled on Wed 03-Feb-10 14:17 by builders
    System image file is “disk0:/asa822-4-k8.bin”
    Config file at boot was “startup-config”

    ASA1 up 1 day 18 hours

    Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
    Boot microcode : CN1000-MC-BOOT-2.00
    SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
    IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
    0: Int: Internal-Data0/0 : address is d0d0.fd30.5df5, irq 11
    1: Ext: Ethernet0/0 : address is d0d0.fd30.5ded, irq 255
    2: Ext: Ethernet0/1 : address is d0d0.fd30.5dee, irq 255
    3: Ext: Ethernet0/2 : address is d0d0.fd30.5def, irq 255
    4: Ext: Ethernet0/3 : address is d0d0.fd30.5df0, irq 255
    5: Ext: Ethernet0/4 : address is d0d0.fd30.5df1, irq 255
    6: Ext: Ethernet0/5 : address is d0d0.fd30.5df2, irq 255
    7: Ext: Ethernet0/6 : address is d0d0.fd30.5df3, irq 255
    8: Ext: Ethernet0/7 : address is d0d0.fd30.5df4, irq 255
    9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
    10: Int: Not used : irq 255
    11: Int: Not used : irq 255

    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 20, DMZ Unrestricted
    Inside Hosts : 50
    Failover : Active/Standby
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    SSL VPN Peers : 2
    Total VPN Peers : 25
    Dual ISPs : Enabled
    VLAN Trunk Ports : 8
    Shared License : Disabled
    AnyConnect for Mobile : Disabled
    AnyConnect for Cisco VPN Phone : Disabled
    AnyConnect Essentials : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Phone Proxy Sessions : 2
    Total UC Proxy Sessions : 2
    Botnet Traffic Filter : Disabled

    This platform has an ASA 5505 Security Plus license.
    This is what I get when trying to add a subinterface

    ASA1(config)# int e0/2.120
    ^
    ERROR: % Invalid input detected at ‘^’ marker.

    Any suggestions would be helpful

36. Blog Admin says

    July 12, 2012 at 6:45 pm

    Edwin,

    One of the differences between the 5505 model and all the rest of the models is that you can’t configure subinterfaces on the physical ports. The physical ports of the 5505 are just like the ports of a Layer2 switch. You need to assign each port into a vlan and then create an “interface vlan xx” inside which you configure the interface parameters (IP address, security level etc).

    Example:

    interface Ethernet 0/0
    switchport access vlan 2
    no shut

    interface vlan2
    nameif outside
    no shutdown
    security-level 0
    ip address 1.1.1.1 255.255.255.0
    

37. Segun says

    July 30, 2012 at 8:57 am

    I have Cisco ASA 5520, which i configure VLANS on, each
    VLAN network can access the INTERNET but there no communication between the VLAN
    i.e VLAN 10 host cannot ping VLAN 20 host
    Here are my config for the ASA and the switch

    same-security-traffic permit intra-interface
    same-security-traffic permit inter-interface
    !
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address 41.100.100.2 255.255.255.248
    !
    interface Ethernet0/1
    nameif Inside
    security-level 100
    ip address 192.168.0.1 255.255.255.240
    !
    interface Ethernet0/1.10
    nameif Basement
    security-level 100
    ip address 192.168.1.1 255.255.255.250
    !
    interface Ethernet0/1.20
    nameif Groundfloor
    security-level 100
    ip address 192.168.2.1 255.255.255.250
    !
    interface Ethernet0/1.30
    nameif Firstfloor
    security-level 100
    ip address 192.168.3.1 255.255.255.250
    !
    interface Ethernet 0/1.40
    nameif Secondfloor
    security-level 100
    ip address 192.168.4.1 255.255.255.250

    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    !
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.240
    nat (Basement) 1 192.168.1.0 255.255.255.0
    nat (Groundfloor) 1 192.168.2.0 255.255.255.0
    nat (Firstfloor) 1 192.168.3.0 255.255.255.0
    nat (Secondfloor) 1 192.168.4.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 41.100.100.1

    SWITCH

    Hostname BASEMENT

    Int Vlan 1
    ip addr 192.168.0.2 255.255.255.240
    no shut

    int f0/1
    switchport access vlan 10
    Switchport mode access
    Spanning-tree Portfast

    int f0/2
    switchport access vlan 10
    Switchport mode access
    Spanning-tree Portfast

    Hostname Groundfloor

    Int Vlan 1
    ip addr 192.168.0.3 255.255.255.240
    no shut

    int f0/1
    switchport access vlan 20
    Switchport mode access
    Spanning-tree Portfast

    int f0/2
    switchport access vlan 20
    Switchport mode access
    Spanning-tree Portfast

38. Blog Admin says

    July 30, 2012 at 1:45 pm

    Hello,

    Each physical port of ASA which has subinterfaces configured MUST be connected to a trunk port on the switch. Also, on each subinterface of the ASA you must configure a VLAN number. See my example above to understand what I mean.

39. Ahmed says

    September 17, 2012 at 10:20 am

    Hello all very nice chance to find this blog

    i have problem with my network

    i configure my core as gateway and make default route cz before my gateway is the ASA 5110, now i add new subnet (192.168.5.0) and my old subnet (192.168.1.0) , the problem when i connect my self to the new subenet i cannot ping the old one (192.168.1.0) but when im in the old subnet i can bing the new one (192.168.5.0)

    the DNS server in in the old subnet 192.168.1.2

    the the route table in the ASA:

    C 213.165.40.12 255.255.255.252 is directly connected, outside
    C 172.16.1.0 255.255.255.0 is directly connected, DMZ
    C 192.168.200.0 255.255.255.0 is directly connected, inside
    S 192.168.5.0 255.255.255.0 [1/0] via 192.168.200.2, inside
    S 192.168.1.0 255.255.255.0 [1/0] via 192.168.200.2, inside
    S* 0.0.0.0 0.0.0.0 [1/0] via 213.165.40.13, outside

    i make two vlan in the core, vlan 5 & 200

    CORE show run :

    AMCO-2D-CORE#show run
    Building configuration…

    Current configuration : 1417 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname AMCO-2D-CORE
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$tMgp$99BNxNhY8WHf.8oMeATdm/
    !
    username amco privilege 15 secret 5 $1$3/0K$a.o2Hm6e6PUX.rZ4oHvY9.
    no aaa new-model
    switch 1 provision ws-c3750g-12s
    system mtu routing 1500
    ip subnet-zero
    ip routing
    !
    !

    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    !
    !
    interface GigabitEthernet1/0/1
    !
    interface GigabitEthernet1/0/2
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface GigabitEthernet1/0/3
    !
    interface GigabitEthernet1/0/4
    !
    interface GigabitEthernet1/0/5
    switchport trunk encapsulation dot1q
    switchport mode trunk

    !
    interface Vlan1
    ip address 192.168.1.11 255.255.255.0
    !
    interface Vlan5
    ip address 192.168.5.11 255.255.255.0
    !
    interface Vlan200
    ip address 192.168.200.2 255.255.255.0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.200.1
    ip http server
    !
    !
    control-plane
    !
    !
    line con 0
    line vty 0 4
    login local
    line vty 5 15
    login local
    !
    end

    ASA show run :

    Amco-ASA# show run
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname Amco-ASA
    domain-name amco.com
    enable password t0e3.QfQxeDdLxkw encrypted
    passwd JSI3.TL9MINmP28U encrypted
    names
    !
    interface Ethernet0/0
    description Polarisnet Internet Link
    nameif outside
    security-level 0
    ip address 213.xxx.xxx.xxx 255.255.255.252
    !
    interface Ethernet0/1
    description Mobily Internet Link
    shutdown
    nameif outside1
    security-level 0
    ip address 86.xxx.xxx.xxx 255.255.255.252
    !
    interface Ethernet0/2
    description DMZ Server connected
    nameif DMZ
    security-level 50
    ip address 172.16.1.1 255.255.255.0
    !
    interface Ethernet0/3
    description Lan Network Connected
    nameif inside
    security-level 100
    ip address 192.168.200.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    no ip address
    management-only
    !
    regex domainlist3 “\.youtube\.com”
    regex domainlist4 “\.facebook\.com”
    regex block1 “facebook.com”
    regex block2 “\.facebook\.com”
    ftp mode passive
    dns server-group DefaultDNS
    domain-name amco.com
    access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    access-list lan-no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list dmz-no-nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list out-to-in extended permit tcp any host 213.165.40.19 eq 3389
    access-list out-to-in extended permit tcp any host 213.165.40.17 eq www
    access-list out-to-in extended permit tcp any host 213.165.40.18 eq www
    access-list out-to-in extended permit tcp any interface outside range h323 3230
    access-list out-to-in extended permit tcp any interface outside eq 3243
    access-list out-to-in extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list out-to-in extended permit icmp 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list dmz-to-in extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list OUTSIDE-IN extended permit tcp any interface outside range 3230 3277
    access-list OUTSIDE-IN extended permit udp any interface outside range 3230 3277
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu outside1 1500
    mtu DMZ 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (DMZ) 0 access-list dmz-no-nat
    nat (DMZ) 1 172.16.1.0 255.255.255.0
    nat (inside) 0 access-list lan-no-nat
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) tcp interface h323 192.168.1.40 h323 netmask 255.255.255.255
    static (inside,outside) tcp interface 3230 192.168.1.40 3230 netmask 255.255.255.255
    static (inside,outside) tcp interface 3243 192.168.1.40 3243 netmask 255.255.255.255
    static (inside,outside) udp interface 3230 192.168.1.40 3230 netmask 255.255.255.255
    static (inside,outside) udp interface 3277 192.168.1.40 3277 netmask 255.255.255.255
    static (inside,outside) xxx.xxx.xxx.17 192.168.1.4 netmask 255.255.255.255
    static (inside,outside) xxx.xxx.xxx.18 192.168.1.16 netmask 255.255.255.255
    static (DMZ,outside) xxx.xxx.xxx.19 172.16.1.3 netmask 255.255.255.255
    access-group out-to-in in interface outside
    access-group dmz-to-in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 213.165.40.13 1
    route inside 192.168.1.0 255.255.255.0 192.168.200.2 1
    route inside 192.168.5.0 255.255.255.0 192.168.200.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authorization exec LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 0.0.0.0 0.0.0.0 outside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    dhcpd dns 213.xxx.xxx.134
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username amco password IViWOVvkDAu8QhFC encrypted privilege 15
    username nasa password IqBVv2.6j.KCDncy encrypted privilege 15
    !
    class-map type regex match-any DomainLogList
    match regex domainlist4
    class-map type regex match-any DomainBlockList
    match regex domainlist3
    match regex domainlist4
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map type inspect http match-all LogDomainsClass
    match request header host regex class DomainLogList
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map type inspect http http_inspection_policy
    parameters
    class BlockDomainsClass
    reset log
    class LogDomainsClass
    log
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect http http_inspection_policy
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:7ded5bc8248b47cebe59c3646f329c58
    : end

    —————————–

    Amco-ASA# show run | include route
    route outside 0.0.0.0 0.0.0.0 213.165.40.13 1
    route inside 192.168.1.0 255.255.255.0 192.168.200.2 1
    route inside 192.168.5.0 255.255.255.0 192.168.200.2 1

40. Jamie says

    April 2, 2013 at 7:44 pm

    Hi, I have a couple of questions. I’m fairly new to the whole networking world, and recently was asked by my IT Director to set up a VLan for the wireless in the front office. I love this blog and read every post, which were very informative to say the least.

    Now the network topology I’m working with is 2911 Router – ASA5520 – 2811 – GS748TP (PoE Switch) – GS748TP (PoE Switch) – WAP200.

    I set up the VLan sub-interface on the 5520 as such;

    Interface GigabitEthernet0/2.10 “OUT1”, is up, line protocol is up
    Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
    VLAN identifier 10
    Description: OUTSIDE2
    MAC address 6400:f127:ce04, MTU 1500
    IP address 10.10.10.1, subnet mask 255.255.255.0

    I’m sure I can create the sub-interfaces on the switches, that part seems like the easiest. Now here’s where the questions start.

    Which switch do I create the sub-interface on, both of them or just the one with the wireless AP on it? The switch with the AP on it is daisy chained by Ethernet to the one underneath, which is connected to the 2811 in the server room by fiber. So, do I have to do anything special, like Tag the ports that have the VLans on them, or leave them UnTagged? Do I have to create an ACL for the ASA to allow traffic to and from the AP to access the Internet, and only the Internet? What would the ACL be? Yes I’m that new to this lol If I create the Trunk port on the 2811 that’s attached to the ASA, is it going to throw off anything on the network? Or, as long as the hosts on the VLan use the 10.10.10.1 gateway, traffic will just pass through that interface on the ASA? Any help you can give would be greatly appreciated. Thanks!

41. Jamie says

    April 2, 2013 at 8:24 pm

    *Correction*

    The firewall comes before the Router.
    And the router has g0/0 as 192.168.3.1 and g0/1 as 10.0.0.1, g0/3 is unassigned. g0/1 on the ASA is unassigned also. Anything to make this easier would be great.

42. Blog Admin says

    April 3, 2013 at 5:37 am

    Jamie,

    This is a whole network design which obviously is not possible to explain fully in this comment section here. In general though you need to do the following:

    • Connect the WAP200 on an “access port” of the GS748TP switch tagged as vlan10
    • The two switches GS748TP must be connected with a trunk port between them. Vlan10 must be created as Layer2 vlan on both of these switches.
    • Is the 2811 a Cisco router? If yes, you won’t be able to transfer vlan10 all the way to the ASA. You have a fundamental network problem here.
    • Assuming you could pass vlan 10 all the way to the ASA, then you would need to create a dynamic NAT for network 10.10.10.0 to access the internet. Also you would need an ACL as inbound to “OUT1” zone to allow access of 10.10.10.0 to internet and possibly restrict access to other internal networks.

    Harris

43. Seb says

    September 10, 2014 at 11:14 am

    Hi,

    I’ve an asa 5510 used for routing (yes it is not delightful, but i had to manage it) connected to mpls for coporate and entertainment flow, and i’ve a default route on interface com.
    Now i’ve a subinterferface for guest user 192.168.x.x and the entertainement flow for this subinterface had to be route by interface internet on eth0/2 10.251.x.x where my new isp is connected.

    i don’t find any pbr on asa and when i’m trying to configure a static route, it is not possible because the network has directly connected. when i realize nat (guest,internet) source dynamic subnet-guest interface and realize a packet trace, the flow from guest interface still use interface com…

    i’m tearing my hair out since 2 days, can someone have an idea to help me?
    Thanks

44. Harris Andrea says

    September 10, 2014 at 1:18 pm

    Unfortunately there is no Policy Based Routing (PBR) support on Cisco ASA.

45. Eduardo says

    February 5, 2015 at 10:09 pm

    Dear Andrea, i have created 2 subinterfaces but traffic cannot pass to the other interfaces (Inside, Branch_office).
    Here is a part of the configuration. Management configuration is connected to an ONT directly

    !
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address xxx.yyy.zzz.123 255.255.255.248
    !
    interface Ethernet0/1
    nameif Branch_Office
    security-level 100
    ip address 192.168.2.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif DMZ
    security-level 10
    ip address 172.16.31.1 255.255.255.0
    !
    interface Ethernet0/3
    nameif Inside
    security-level 100
    ip address 192.168.0.2 255.255.255.0
    !
    interface Management0/0
    no nameif
    security-level 100
    no ip address
    !
    interface Management0/0.10
    nameif alianzaiNET
    security-level 100
    ip address 192.168.200.2 255.255.255.0
    !
    interface Management0/0.20
    nameif LinkserNET
    security-level 100
    ip address 192.168.5.2 255.255.255.0
    !
    boot system disk0:/asa821-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name farmaciachavez.com.bo
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list dmz_in extended permit ip host 172.16.31.2 any
    access-list dmz_in extended permit tcp host 172.16.31.2 any
    access-list dmz_in extended permit udp host 172.16.31.2 any
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq 3000
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq https
    access-list dmz_in extended permit udp host 172.16.31.2 any eq domain
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq pop3
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq smtp
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq www
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq 1000
    access-list dmz_in extended permit tcp host 172.16.31.2 any eq echo
    access-list Inside extended permit ip any any
    access-list Inside extended permit icmp any any
    access-list Inside extended permit tcp any any
    access-list Inside extended permit udp any any
    access-list 100 extended permit ip any host 200.87.226.122
    access-list 100 extended permit tcp any host xxx.yyy.zzz.122
    access-list 100 extended permit udp any host xxx.yyy.zzz.122
    access-list 100 extended permit tcp any host xxx.yyy.zzz.125 object-group RDP
    access-list 100 extended permit tcp any host xxx.yyy.zzz.124
    access-list 100 extended permit tcp any host xxx.yyy.zzz.126 object-group SQL-ori
    x inactive
    access-list linkser extended permit ip 193.168.1.0 255.255.255.0 192.168.0.0 255
    .255.0.0
    access-list linkser extended permit ip 192.168.0.0 255.255.0.0 193.168.1.0 255.2
    55.255.0
    access-list netflow-export extended permit ip any any
    access-list AlianzaNET extended permit ip object-group Subredes 192.168.200.0 25
    5.255.255.252
    access-list AlianzaNET extended permit ip 192.168.200.0 255.255.255.252 192.168.
    0.0 255.255.128.0
    access-list AlianzaNET extended permit ip 192.168.0.0 255.255.128.0 192.168.200.
    0 255.255.255.252
    access-list Outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192
    .168.57.0 255.255.255.0
    access-list Outside_1_cryptomap extended permit ip 172.16.31.0 255.255.255.0 192
    .168.57.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 19
    2.168.57.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 19
    2.168.100.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 172.16.31.0 255.255.255.0 19
    2.168.57.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 19
    2.168.59.0 255.255.255.0
    access-list Outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192
    .168.59.0 255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    flow-export destination Inside 192.168.0.55 9996
    flow-export template timeout-rate 1
    flow-export delay flow-create 60
    mtu Outside 1500
    mtu Branch_Office 1500
    mtu DMZ 1500
    mtu Inside 1500
    mtu alianzaiNET 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit host 192.168.0.43 Outside
    icmp permit any Outside
    icmp permit any DMZ
    asdm image disk0:/asdm-647.bin
    asdm history enable
    arp timeout 14400
    global (Outside) 101 interface
    global (DMZ) 101 interface
    global (alianzaiNET) 101 interface
    nat (Branch_Office) 101 0.0.0.0 0.0.0.0
    nat (DMZ) 101 0.0.0.0 0.0.0.0
    nat (Inside) 0 access-list Inside_nat0_outbound
    nat (Inside) 101 0.0.0.0 0.0.0.0

    What’s wrong

46. Harris Andrea says

    February 6, 2015 at 6:13 am

    If you want to allow traffic from the two management networks towards the other networks, you need to create NAT rules (since you are running an older ASA version 8.2).

    Example:

    nat (alianzaiNET) 101 0.0.0.0 0.0.0.0
    nat (LinkserNET) 101 0.0.0.0 0.0.0.0

    Also you must apply proper ACLs on each subinterface to control traffic flow according to your needs

47. Peace says

    November 25, 2015 at 10:59 am

    To a switch connected to ASA Firewall,it is necessary to add ip add after creating vlans on it?

48. Harris Andrea says

    November 25, 2015 at 11:28 am

    If the switch is Layer3 then you need to add IP address on each vlan. Basically you connect the physical interface of the ASA (which has subinterfaces configured) to a trunk port on the switch and then configure layer2 vlans and also layer3 vlans (SVI) on the switch.

49. Peace says

    November 26, 2015 at 6:39 am

    Thx alot Harris A.

    Why ASA Firewall (5520 ) crash after configure on it sub-interfaces (2 sub-interfaces) with 2 vlans (vlan 10 and vlan 20) and in switches (5 switches) add vlans (2 vlans) and assign the IP addresses to those vlans?

    Please help me

50. Harris Andrea says

    November 26, 2015 at 10:26 am

    Peace,

    The ASA is not supposed to crash after configuring subinterfaces. It must be a hardware problem and unfortunately I can’t help with that.

    Harris

51. Peace says

    November 27, 2015 at 7:22 am

    I really appreciate your help.

    Why vlans created in switches deleted after saving its (copy run start) ?
    And why ASA Firewall crush after those configuration?

    Please help me again

52. Harris Andrea says

    November 27, 2015 at 12:29 pm

    Peace,

    I have never encountered similar situation before. I suggest you to upgrade software both on switch and ASA.

53. Maz says

    December 2, 2015 at 5:35 pm

    Hi

    On our multi-tenant ASA. we have created supinterfaces with security level 100 for each client. SO we have disabled same-security-traffic permit inter-interface and no one can communicate which is good.

    We ran out of subnet and created a new subinterface with securirty level 90. I cant seem to ping or connect to the lower security from higher.

    I even tried following ACL but no luck

    access-list NewInterface_in line 1 extended permit ip any any
    access-group NewInterface_in in interface NewInterface_in

    Can you please advise? what I’m missing

    Thanks
    M

54. Harris Andrea says

    December 3, 2015 at 5:24 am

    Maz,

    You will need to configure also some kind of NAT between the two security levels (from higher to lower, usually we configure dynamic NAT).

    Harris

55. Peace says

    December 3, 2015 at 7:16 am

    I already configure Dynamic PAT in ASA Firewall to be able to access the internet
    (object network Ins-Out
    subnet 192.168.10.0 255.255.255.0
    nat (inside,outside) dynamic interface)
    And route outside (
    route outside 0.0.0.0 0.0.0.0 101.1.1.1)

    But internal-users can’t access internet. There is error in my commands?
    Or there are others configurations needed?

    Please help me
    Peace

56. Maz says

    December 3, 2015 at 9:10 am

    Can you please give an example for this NAT?
    Do I need to configure for each subnet?

    Thanks

57. Peace says

    December 3, 2015 at 10:59 am

    For ASA Firewall (8.4) it always necessary to inspect icmp ?
    How can I do this if necassary?

58. Harris Andrea says

    December 3, 2015 at 3:45 pm

    The commands are correct. Try from the ASA itself to ping a host on the internet to see if it works.

59. Harris Andrea says

    December 3, 2015 at 3:46 pm

    Maz, it depends on the ASA version you have. What is the ASA version?

60. Maz says

    December 3, 2015 at 9:31 pm

    ASA Version 9.1

    Thanks

61. Peace says

    December 4, 2015 at 5:30 am

    Harris

    From ASA I can’t ping external-users (host on the internet) but on external-users (host on the internet) I can ping the outside interface of ASA (101.1.1.100) and the inside interface of ISP (101.1.1.1).

    Sir how can I resolve this issue? And be able to ping external-users (host on the internet) ?

    Please help me

62. Harris Andrea says

    December 4, 2015 at 6:24 am

    You can use the keyword “any” to apply dynamic NAT from all source interfaces towards the new interface:

    example (double check the exact commands because I’m typing on top of my head now):

    nat (any,newinterface) dynamic interface

63. Harris Andrea says

    December 4, 2015 at 6:26 am

    make sure all internal users have proper default gateway and proper DNS settings and try to browser the internet from an internal PC. Also on ASA run the command “show xlate” to see if it creates sessions and NAT translations for the internal users.

64. mo says

    August 14, 2016 at 7:57 am

    Hey there I’m tryin’ to configure object in cisco asa 5520 like what you saw…

    ASA5505(config)# object network network1
    ASA5505(config-network)# subnet 10.71.0.0 255.255.255.0

    but i got this error
    ERROR: % Invalid input detected at ‘^’ marker.

65. Harris Andrea says

    August 14, 2016 at 1:49 pm

    Where is the ‘^’ marker showing? Below which command?