No switch option on Cisco ASA 5506-X

Written By Harris Andrea

5505vs5506

The new ASA 5506-X and 5508-X were released a few months ago from Cisco and are the models which will replace the very successful ASA5505 SOHO firewall.

Especially the 5506-X is marketed as the ideal replacement for the 5505 which was very popular and successful in small network deployments.

As you might know already, the 8 interfaces of the ASA 5505 act as an 8-port Layer2 switch (with Power of Ethernet ports as well). This means that you can directly connect computers and other hosts on the 8-port switch of the firewall device without requiring an additional Layer2 switch in the network. This is particularly useful in very small SOHO networks with 4-5 devices (such as small remote offices or very small business networks). If you had also the security plus license, you could further separate the 8-ports of the 5505 into additional VLANs.

Now, the new ASA5506-X does come with 8xGE gigabit interfaces which however are routed interfaces. In simple words, there is NO switch on the ASA 5506-X !!!

MORE READING: How to Block HTTP DDoS Attack with Cisco ASA Firewall

This means that you need to have an external layer2 switch in order to connect several devices on the network. If you want to have a similar situation as the 5505 where all the ports from 1 to 7 were assigned in Vlan1 as “inside” security zone, then you need to configure etherchannel (or port-channel as Cisco defines it). Basically you group together several ports of the 5506-X and you create a logical port-channel interface which you assign it as the “inside” zone.

Despite the fact that there is no embedded switch on the 5506-X, this device has a lot more security features and much better performance than the 5505 which compensates for the lack of a switch. If you enable the FirePower subscription features on this device, then you have an all-in-one security solution which will greatly help in defending against cyber attacks. Have a look at this ASA 5506-X Configuration Tutorial for basic and advanced examples of configuring this new firewall model.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

RAFAEL says

June 1, 2022 at 5:16 pm

Hello, “you need to configure etherchannel (or port-channel as Cisco defines it). Basically you group together several ports of the 5506-X and you create a logical port-channel interface which you assign it as the “inside” zone”. How to do this?
Harris Andrea says

June 1, 2022 at 6:13 pm

Hello, here is how to do it:

1) Create port channel:
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0

2) Add the physical interfaces you want to the port-channel
interface GigabitEthernet1/2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
channel-group 1 mode on
no nameif
no security-level
no ip address
RAFAEL says

June 1, 2022 at 7:34 pm

I created a Vlan for guest wifi, interface 1/6 is connected at switch, the switch port is connected at computer, dhcp is ok, but no internet access. I want connect guest wifi with outside2. What its missing?

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cor es)
:
ASA Version 9.5(1)
!

names
!
interface GigabitEthernet1/1
nameif outside1
security-level 0
ip address xxx 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
security-level 0
ip address xxx 255.255.255.0
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.200.254 255.255.255.0
policy-route route-map pbr-policy
!
interface GigabitEthernet1/4
nameif outside2
security-level 0
ip address xxx 255.255.255.0
!
interface GigabitEthernet1/5
nameif outside3
security-level 0
ip address xxx 255.255.255.0
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6.10
vlan 10
nameif guestwifi
security-level 0
ip address 10.1.1.254 255.255.255.0
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_192.168.200.1-120
range 192.168.200.1 192.168.200.120
object network obj_192.168.200.121-140
range 192.168.200.121 192.168.200.140
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_192.168.200.0
subnet 192.168.200.0 255.255.255.0
object network obj_192.168.200.241-252
range 192.168.200.241 192.168.200.252
object network obj_192.168.200.141-240
range 192.168.200.141 192.168.200.240
object network obj_10.1.1.1-250
subnet 10.1.0.0 255.255.255.0
object-group service general-services
access-list outside1-traffic extended permit ip object obj_192.168.200.1-120 any
access-list outside3-traffic extended permit ip object obj_192.168.200.241-252 any
pager lines 24
mtu outside1 1500
mtu inside 1500
mtu outside2 1500
mtu outside3 1500
mtu guestwifi 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

nat (inside,outside2) source dynamic any interface
nat (inside,outside1) source dynamic any interface

!
object network obj_10.1.1.1-250
nat (guestwifi,outside2) dynamic interface
!
nat (inside,outside3) after-auto source dynamic obj_192.168.200.241-252 interface
nat (guestwifi,outside2) after-auto source dynamic any interface
access-group outside1_acl in interface outside1
access-group outside2_acl in interface outside2
!
route-map pbr-policy permit 10
match ip address outside1-traffic
set ip next-hop xxx

!
route-map pbr-policy permit 30
match ip address outside3-traffic
set ip next-hop xxx

!
route outside2 0.0.0.0 0.0.0.0 xxx 1
route outside1 0.0.0.0 0.0.0.0 xxx 3
Harris Andrea says

June 2, 2022 at 5:13 am

Remove the sub-interface Gig1/6.10 and assign IP address directly to the main interface.
Rafael says

June 2, 2022 at 11:43 am

thank you so much, but i have other “mission”, create a corp wifi. Gig1/7 and nat (corpwifi,redelocal1)?
Harris Andrea says

June 2, 2022 at 12:45 pm

That one I’ll leave it on you :) you can find it out I’m sure :)
Rafael says

June 2, 2022 at 6:09 pm

I try with acl and nat , but i dont know, can you give me a tip?

my attemps:
– access-list wifi_acl extended permit ip object obj_192.168.200.2 any
– nat (wifi-corp,inside) source dynamic any interface
Harris Andrea says

June 3, 2022 at 5:40 am

The problem is on the nat rule. Try to configure static nat between inside > wifi-corp and then access the inside from wifi-corp with ACL
rafael says

June 3, 2022 at 1:51 pm

i achieved, but again, other problem. These two interfaces they are connected in switch, on the switch i created two vlans and associated other two ports for transmission, they are in untagged mode, i would need only one port transmission the two vlans, cisco asa 5506 dont have switchport for connect tagged mode, i dont know if you understood me, but is this, thank you for support.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

No switch option on Cisco ASA 5506-X

Related Posts

Download Free Cisco Commands Cheat Sheets

About Harris Andrea

Comments

Leave a Reply

About Networks Training

Amazon Disclosure

Search

BLOGROLL