Cisco ASA VLANs and Sub-Interfaces

Hi Mark,

Glad to hear you like it!

The sub-interfaces work exactly the same on the outside so yes, you can use this example.

Rene

Thanks Rene

How then am I able to direct traffic coming in on subinterface outside.10 specifically to subinterface inside.10 only? I can see how you could do it on the inside with a switch but am unsure with the outside to inside sub interfaces.

Mark

Hi Mark,

By default, all traffic from a higher security level (OUTSIDE) to a lower security level (INSIDE) will be dropped. The only thing you have to do is to create an access-list and permit the traffic you want. Take a look at this example:

Look for the “Permit Traffic to DMZ” section. Instead of the DMZ, it will be INSIDE for you.

The ASA will use regular routing to select the egress interface. Let’s say you have an INSIDE gi0/1.10 sub-interface with IP address 192.168.1.254/24 on it. If you receive a packet on one of your OUTSIDE sub-interfaces with source 1.2.3.4 and destination 192.168.1.55 then it will forward the packet on your gi0/1.10 sub-interface (if it is permitted with an access-list).

Since ASA 9.4, it is also possible to use PBR (Policy Based Routing) to overrule default routing behavior btw.

Rene

That’s great, thanks Rene. The ultimate goal is to have an IPSec site to site VPN terminating on each of the outside sub interfaces and then passing the traffic to individual, isolated, machines on each of the inside VLAN interfaces on the Catalyst. I may yet come back to bother you again :slight_smile:

No problem!

With IPsec site-to-site VPN, it’s even simpler. Take a look at this example:

You still have to create an access-list but it defines the LAN-to-LAN traffic that has to be encrypted. Everything that is not in the access-list will not be tunneled :slight_smile:

Hi there again

I have my inside VLANS working a treat on sub interfaces - thanks for all the advice.

What I cannot get working are multiple sub-interfaces on the outside interface. This is my (basic) config that works:

----------
interface GigabitEthernet1/1
description WAN
nameif OUTSIDE
security-level 0
ip address 95.80.38.209 255.255.255.128
no shut
!
interface GigabitEthernet1/2
no ip address
no nameif
no security-level
no shut
!
interface GigabitEthernet1/2.60
description LAN60
vlan 60
nameif INSIDE60
security-level 100
ip address 192.168.60.1 255.255.255.0
no shut
!
nat (INSIDE60,OUTSIDE) after-auto source dynamic any interface

route OUTSIDE 0.0.0.0 0.0.0.0 95.80.38.129

policy-map global_policy
class inspection_default
inspect icmp

----------

I can add multiple sub-interfaces on INSIDE and all stays working - I can ping the internet quite happily from the ASA and the devices on the inside VLANs.

However - if I use this configuration I run into trouble and nothing can see the internet:

----------
interface GigabitEthernet1/1
no ip address
no description
no nameif
no security-level
no shut
!
interface GigabitEthernet1/1.60
description WAN60
vlan 160
nameif OUTSIDE60
security-level 0
ip address 95.80.38.209 255.255.255.128
no shut
!
interface GigabitEthernet1/2
no ip address
no nameif
no security-level
no shut
!
interface GigabitEthernet1/2.60
description LAN60
vlan 60
nameif INSIDE60
security-level 100
ip address 192.168.60.1 255.255.255.0
no shut
!
nat (INSIDE60,OUTSIDE60) after-auto source dynamic any interface

route OUTSIDE60 0.0.0.0 0.0.0.0 95.80.38.129

policy-map global_policy
class inspection_default
inspect icmp

----------

I am thinking it may be a restriction on my actual device now (5508) and I may need a device that supports multiple security contexts and effectively have multiple virtual firewalls in 1 larger device/chassis. What do you think?

Hi Mark,

What is connected on the outside of your ASA?

interface GigabitEthernet1/1.60
description WAN60
vlan 160
nameif OUTSIDE60
security-level 0
ip address 95.80.38.209 255.255.255.128

You are using VLAN 160 here so is there a switch on the outside with a trunk that supports these tags?

If you have a single connection to your ISP router and a small subnet with some IP addresses then it might be a better idea to use multiple context mode.

Rene

Yes - you’ve nailed it there - and I quickly realised after posting that one actually. We cannot tag the traffic coming in…

It looks like multi context mode may now be the way to go for us. Thanks for all the pointers, appreciated.

Am I understanding this correctly? Shouldnt INSIDE1 should not be able to send ICMP or TELNET requests to INSIDE2 due to the security level yet in your diagram it shows that it does. I dont see any FW rules so how is it possible?

Hi Michael,

INSIDE2 has a security level of 80, INSIDE1 is 70.

Going from a higher security level (80) to a lower one (70) is no problem.

The pings are from R1/R2 to their gateway addresses, the final test is a telnet from R2 to R1.

Rene

Hi rene,

Can you correct my understanding here. I recently setup an ASA 5520 with Outside interface on vlan 300 and directly connected it to an L3 switch. I configured the L3 switch on same vlan and subnet also. However they couldn’t ping each other until I changed the L3 switch to a trunk port. Why is this? In switches if 2 access ports are connected on same vlan they can communicate with each other so why in this case it didn’t on same subnet and vlan?

Hello Zahan.

By default the ASA treats its interfaces as access ports and supports a single VLAN (with no tagging of frames). So if you haven’t made any changes to the ASA port, it should be in access mode. So if both the switch and the ASA are configured correctly, and you have access ports configured on both ends, the connection should work. Look over your configuration on both interfaces (the ASA and the switch) to confirm you’ve got it correctly configured. If you still have problems, copy and paste the relevant portions of the config so we can take a look. Only the relevant portions please, not the whole configuration. :slight_smile:

I hope this has been helpful!

Laz

Hi Rene,

I am facing with some issue in intervlan routing at ASA 5585.Is there any command to add in intervlan Routing.
Already configured with “same-security-traffic permit inter-interface” and “same-security-traffic permit intra-interface”.

Hi Ye Yint,

What kind of issues are you facing? Routing on the ASA is pretty limited.

Rene

19 posts were merged into an existing topic: Cisco ASA VLANs and Sub-Interfaces

Hi Rene,

I’m a newbie in need of config help involving a catalyst 4500x and ASA5512X.
I will be managing 4500x that is connected to my DataCenter provider’s ASA 5512x.

Here are the details:
All internal routing is done on the 4500x.
Inter VLAN on the switch (VLAN 500, VLAN 69, VLAN xxx, VLAN xxy)

VLAN 500 - 4500x TE1/1/17 <==> ASA Ge0/1 (Primary) and 4500x TE2/1/17 <==> ASA Ge0/1 (Secondary).
-- 10.10.10.3 / 29

4500x config:

interface TenGigabitEthernet1/1/17
 switchport mode trunk
 switchport trunk allowed vlan 500

interface TenGigabitEthernet2/1/17
 switchport mode trunk
 switchport trunk allowed vlan 500

--VLAN 69 (192.168.69.2 /24)
Interface TenGigabitEthernet1/1/4
 description Test Server
 switchport access vlan 69
 switchport mode access
 spanning-tree portfast

interface Vlan69
 ip address 192.168.69.2 255.255.255.0

interface Vlan500
 ip address 10.10.10.3 255.255.255.248

-- Default gateway 10.10.10.1 

****************
--ASA 5512x config:

interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.500
 vlan 500
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2 

access-list inside_in extended permit ip 192.168.69.0 255.255.255.0 any 

object network obj-192.168.69.0-24
 nat (inside,outside) dynamic interface

route inside 192.168.69.0 255.255.255.0 192.168.69.2 1

******************
My DC provider claims that everything is setup on their end for internet access, however I am unable to connect to the outside from a server behind the 4500x.
From the 4500x, I can ping 10.10.10.1 and .2.
I can’t ping any public address.
No internet access from the server.

What’s missing or needs to change on either ends? Is trunking on the ASA really necessary?
Please advise.

Thanks!

Hi @akosiron

If you can ping from your server to the INSIDE ip address of your ASA, then at least you know your trunks/vlans are OK.

The only reason to use a trunk, is if you need multiple VLANs between your ASA and switch. I see you only use VLAN 500, so it’s not needed unless you plan to add more VLANs later.

The ASA has this route:

route inside 192.168.69.0 255.255.255.0 192.168.69.2 1

How does it know how to get to 192.168.69.2? It’s telling that to reach 192.168.69.0/24, you have to get to 192.168.69.2 (chicken and egg problem). The next hop should be 10.10.10.3, the IP address you use on your switch for the VLAN 500 interface.

That’s the one the ASA knows how to reach:

interface GigabitEthernet0/1.500
 vlan 500
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2 

Rene

Hi Renee,

The issue has been resolved .
The problem was, as you pointed out, is the ASA’s next hop.
I may add more vlans to between asa and 4500x that is why it was trunked.

Thanks.

-RON

Hello there,

What is BVI interface?

is there any major difference between bvi and vlan?
I tried to find online but couldn’t find satisfied answer. so if you can explain me a bit with some diagram and example please and thanks.

and by the way we are using ASA 5506.

thanks

Hi Ankit,

TL;DR the BVI interface is the virtual L3 interface you can use for your VLAN.

There are two interface types:

  • Switchport interfaces (L2)
  • Routed interfaces (L3)

A switchport interface only works on L2 and forwards Ethernet frames by switching. You can’t configure an IP address on a L2 switchport interfaces. This is what a L2 switch does. You can add multiple switchport interfaces to a single VLAN.

A routed interface has an IP address and does not forward frames by switching. Since it’s a L3 interface, it doesn’t belong to any VLANs.

You probably want to use a default gateway for the hosts in your VLAN so where do you configure the IP address for the gateway? You can’t configure it on a switchport interface. That’s why we use BVI interfaces.

The BVI interface is a virtual L3 interface that belongs to your VLAN. You can configure your IP address there, and all hosts within the VLAN can communicate with the BVI interface.

In the case of your ASA 5506, originally it didn’t support L2 switchport interfaces. The only thing you could do is configure each interface as a routed interface. This was pretty silly, people were used to the 5505 that did support switchport interfaces and now they had a 8 port 5506 that didn’t support it.

Nowadays, it supports switchport interfaces so you can configure all 8 ports as switchport interfaces, add them to a single VLAN, and use a BVI interface for the default gateway.

Hope this helps!

Rene