Networks Training

You are here: Home / Cisco ASA General / No switch option on Cisco ASA 5506-X

No switch option on Cisco ASA 5506-X

Written By

5505vs5506

The new ASA 5506-X and 5508-X were released a few months ago from Cisco and are the models which will replace the very successful ASA5505 SOHO firewall.

Especially the 5506-X is marketed as the ideal replacement for the 5505 which was very popular and successful in small network deployments.

As you might know already, the 8 interfaces of the ASA 5505 act as an 8-port Layer2 switch (with Power of Ethernet ports as well). This means that you can directly connect computers and other hosts on the 8-port switch of the firewall device without requiring an additional Layer2 switch in the network. This is particularly useful in very small SOHO networks with 4-5 devices (such as small remote offices or very small business networks). If you had also the security plus license, you could further separate the 8-ports of the 5505 into additional VLANs.

Now, the new ASA5506-X does come with 8xGE gigabit interfaces which however are routed interfaces. In simple words, there is NO switch on the ASA 5506-X !!!

MORE READING:  How to Block Access to Websites with a Cisco ASA Firewall (with FQDN)

This means that you need to have an external layer2 switch in order to connect several devices on the network. If you want to have a similar situation as the 5505 where all the ports from 1 to 7 were assigned in Vlan1 as “inside” security zone, then you need to configure etherchannel (or port-channel as Cisco defines it). Basically you group together several ports of the 5506-X and you create a logical port-channel interface which you assign it as the “inside” zone.

Despite the fact that there is no embedded switch on the 5506-X, this device has a lot more security features and much better performance than the 5505 which compensates for the lack of a switch. If you enable the FirePower subscription features on this device, then you have an all-in-one security solution which will greatly help in defending against cyber attacks. Have a look at this ASA 5506-X Configuration Tutorial for basic and advanced examples of configuring this new firewall model.

Related Posts

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. RAFAEL says

    Hello, “you need to configure etherchannel (or port-channel as Cisco defines it). Basically you group together several ports of the 5506-X and you create a logical port-channel interface which you assign it as the “inside” zone”. How to do this?

  2. Harris Andrea says

    Hello, here is how to do it:

    1) Create port channel:
    interface Port-channel1
    lacp max-bundle 8
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0

    2) Add the physical interfaces you want to the port-channel
    interface GigabitEthernet1/2
    channel-group 1 mode on
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/3
    channel-group 1 mode on
    no nameif
    no security-level
    no ip address

  3. RAFAEL says

    I created a Vlan for guest wifi, interface 1/6 is connected at switch, the switch port is connected at computer, dhcp is ok, but no internet access. I want connect guest wifi with outside2. What its missing?

    : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cor es)
    :
    ASA Version 9.5(1)
    !

    names
    !
    interface GigabitEthernet1/1
    nameif outside1
    security-level 0
    ip address xxx 255.255.255.0
    !
    interface GigabitEthernet1/2
    no nameif
    security-level 0
    ip address xxx 255.255.255.0
    !
    interface GigabitEthernet1/3
    nameif inside
    security-level 100
    ip address 192.168.200.254 255.255.255.0
    policy-route route-map pbr-policy
    !
    interface GigabitEthernet1/4
    nameif outside2
    security-level 0
    ip address xxx 255.255.255.0
    !
    interface GigabitEthernet1/5
    nameif outside3
    security-level 0
    ip address xxx 255.255.255.0
    !
    interface GigabitEthernet1/6
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/6.10
    vlan 10
    nameif guestwifi
    security-level 0
    ip address 10.1.1.254 255.255.255.0
    !
    interface GigabitEthernet1/7
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1/8
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management1/1
    management-only
    shutdown
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    object network obj_192.168.200.1-120
    range 192.168.200.1 192.168.200.120
    object network obj_192.168.200.121-140
    range 192.168.200.121 192.168.200.140
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network obj_192.168.200.0
    subnet 192.168.200.0 255.255.255.0
    object network obj_192.168.200.241-252
    range 192.168.200.241 192.168.200.252
    object network obj_192.168.200.141-240
    range 192.168.200.141 192.168.200.240
    object network obj_10.1.1.1-250
    subnet 10.1.0.0 255.255.255.0
    object-group service general-services
    access-list outside1-traffic extended permit ip object obj_192.168.200.1-120 any
    access-list outside3-traffic extended permit ip object obj_192.168.200.241-252 any
    pager lines 24
    mtu outside1 1500
    mtu inside 1500
    mtu outside2 1500
    mtu outside3 1500
    mtu guestwifi 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected

    nat (inside,outside2) source dynamic any interface
    nat (inside,outside1) source dynamic any interface

    !
    object network obj_10.1.1.1-250
    nat (guestwifi,outside2) dynamic interface
    !
    nat (inside,outside3) after-auto source dynamic obj_192.168.200.241-252 interface
    nat (guestwifi,outside2) after-auto source dynamic any interface
    access-group outside1_acl in interface outside1
    access-group outside2_acl in interface outside2
    !
    route-map pbr-policy permit 10
    match ip address outside1-traffic
    set ip next-hop xxx

    !
    route-map pbr-policy permit 30
    match ip address outside3-traffic
    set ip next-hop xxx

    !
    route outside2 0.0.0.0 0.0.0.0 xxx 1
    route outside1 0.0.0.0 0.0.0.0 xxx 3

  4. Harris Andrea says

    Remove the sub-interface Gig1/6.10 and assign IP address directly to the main interface.

  5. Rafael says

    thank you so much, but i have other “mission”, create a corp wifi. Gig1/7 and nat (corpwifi,redelocal1)?

  7. Rafael says

    I try with acl and nat , but i dont know, can you give me a tip?

    my attemps:
    – access-list wifi_acl extended permit ip object obj_192.168.200.2 any
    – nat (wifi-corp,inside) source dynamic any interface

  8. Harris Andrea says

    The problem is on the nat rule. Try to configure static nat between inside > wifi-corp and then access the inside from wifi-corp with ACL

  9. rafael says

    i achieved, but again, other problem. These two interfaces they are connected in switch, on the switch i created two vlans and associated other two ports for transmission, they are in untagged mode, i would need only one port transmission the two vlans, cisco asa 5506 dont have switchport for connect tagged mode, i dont know if you understood me, but is this, thank you for support.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx