Hi Aaron,
It really depends what you are trying to achieve. If you use your switches for Inter-VLAN routing then there’s no need to create a trunk to your ASAs, a static route will do the job.
If you want the ASAs for inter-VLAN routing then yes, you will need a trunk…your hosts will then use the ASA as their default gateway and you’ll have a bunch of sub (inside) interfaces.
Rene
thanks Rene ,
That clears things up
Appreciated
Hi Rene
Many thanks for the guide - very useful.
I have been asked to set up a 5508 with sub interfaces on not only the inside interface but the outside as well. Traffic that came in to outside.10 would need to go to inside.10 / outside.20 to inside.20 etc (5 in total). Each of the sub interfaces (inside and outside) would be on seperate subnets.
Do you reckon that can be done in the same sort of way?
Hi Mark,
Glad to hear you like it!
The sub-interfaces work exactly the same on the outside so yes, you can use this example.
Rene
Thanks Rene
How then am I able to direct traffic coming in on subinterface outside.10 specifically to subinterface inside.10 only? I can see how you could do it on the inside with a switch but am unsure with the outside to inside sub interfaces.
Mark
Hi Mark,
By default, all traffic from a higher security level (OUTSIDE) to a lower security level (INSIDE) will be dropped. The only thing you have to do is to create an access-list and permit the traffic you want. Take a look at this example:
https://networklessons.com/cisco/cisco-asa/cisco-asa-access-list/
Look for the “Permit Traffic to DMZ” section. Instead of the DMZ, it will be INSIDE for you.
The ASA will use regular routing to select the egress interface. Let’s say you have an INSIDE gi0/1.10 sub-interface with IP address 192.168.1.254/24 on it. If you receive a packet on one of your OUTSIDE sub-interfaces with source 1.2.3.4 and destination 192.168.1.55 then it will forward the packet on your gi0/1.10 sub-interface (if it is permitted with an access-list).
Since ASA 9.4, it is also possible to use PBR (Policy Based Routing) to overrule default routing behavior btw.
Rene
That’s great, thanks Rene. The ultimate goal is to have an IPSec site to site VPN terminating on each of the outside sub interfaces and then passing the traffic to individual, isolated, machines on each of the inside VLAN interfaces on the Catalyst. I may yet come back to bother you again 
No problem!
With IPsec site-to-site VPN, it’s even simpler. Take a look at this example:
https://networklessons.com/cisco/cisco-asa/cisco-asa-site-site-ikev1-ipsec-vpn/
You still have to create an access-list but it defines the LAN-to-LAN traffic that has to be encrypted. Everything that is not in the access-list will not be tunneled 
Hi there again
I have my inside VLANS working a treat on sub interfaces - thanks for all the advice.
What I cannot get working are multiple sub-interfaces on the outside interface. This is my (basic) config that works:
----------
interface GigabitEthernet1/1
description WAN
nameif OUTSIDE
security-level 0
ip address 95.80.38.209 255.255.255.128
no shut
!
interface GigabitEthernet1/2
no ip address
no nameif
no security-level
no shut
!
interface GigabitEthernet1/2.60
description LAN60
vlan 60
nameif INSIDE60
security-level 100
ip address 192.168.60.1 255.255.255.0
no shut
!
nat (INSIDE60,OUTSIDE) after-auto source dynamic any interface
route OUTSIDE 0.0.0.0 0.0.0.0 95.80.38.129
policy-map global_policy
class inspection_default
inspect icmp
----------
I can add multiple sub-interfaces on INSIDE and all stays working - I can ping the internet quite happily from the ASA and the devices on the inside VLANs.
However - if I use this configuration I run into trouble and nothing can see the internet:
----------
interface GigabitEthernet1/1
no ip address
no description
no nameif
no security-level
no shut
!
interface GigabitEthernet1/1.60
description WAN60
vlan 160
nameif OUTSIDE60
security-level 0
ip address 95.80.38.209 255.255.255.128
no shut
!
interface GigabitEthernet1/2
no ip address
no nameif
no security-level
no shut
!
interface GigabitEthernet1/2.60
description LAN60
vlan 60
nameif INSIDE60
security-level 100
ip address 192.168.60.1 255.255.255.0
no shut
!
nat (INSIDE60,OUTSIDE60) after-auto source dynamic any interface
route OUTSIDE60 0.0.0.0 0.0.0.0 95.80.38.129
policy-map global_policy
class inspection_default
inspect icmp
----------
I am thinking it may be a restriction on my actual device now (5508) and I may need a device that supports multiple security contexts and effectively have multiple virtual firewalls in 1 larger device/chassis. What do you think?
Hi Mark,
What is connected on the outside of your ASA?
interface GigabitEthernet1/1.60
description WAN60
vlan 160
nameif OUTSIDE60
security-level 0
ip address 95.80.38.209 255.255.255.128
You are using VLAN 160 here so is there a switch on the outside with a trunk that supports these tags?
If you have a single connection to your ISP router and a small subnet with some IP addresses then it might be a better idea to use multiple context mode.
Rene
Yes - you’ve nailed it there - and I quickly realised after posting that one actually. We cannot tag the traffic coming in…
It looks like multi context mode may now be the way to go for us. Thanks for all the pointers, appreciated.
Am I understanding this correctly? Shouldnt INSIDE1 should not be able to send ICMP or TELNET requests to INSIDE2 due to the security level yet in your diagram it shows that it does. I dont see any FW rules so how is it possible?
Hi Michael,
INSIDE2 has a security level of 80, INSIDE1 is 70.
Going from a higher security level (80) to a lower one (70) is no problem.
The pings are from R1/R2 to their gateway addresses, the final test is a telnet from R2 to R1.
Rene
Hi rene,
Can you correct my understanding here. I recently setup an ASA 5520 with Outside interface on vlan 300 and directly connected it to an L3 switch. I configured the L3 switch on same vlan and subnet also. However they couldn’t ping each other until I changed the L3 switch to a trunk port. Why is this? In switches if 2 access ports are connected on same vlan they can communicate with each other so why in this case it didn’t on same subnet and vlan?
Hello Zahan.
By default the ASA treats its interfaces as access ports and supports a single VLAN (with no tagging of frames). So if you haven’t made any changes to the ASA port, it should be in access mode. So if both the switch and the ASA are configured correctly, and you have access ports configured on both ends, the connection should work. Look over your configuration on both interfaces (the ASA and the switch) to confirm you’ve got it correctly configured. If you still have problems, copy and paste the relevant portions of the config so we can take a look. Only the relevant portions please, not the whole configuration.
I hope this has been helpful!
Laz
Hi Rene,
I am facing with some issue in intervlan routing at ASA 5585.Is there any command to add in intervlan Routing.
Already configured with “same-security-traffic permit inter-interface” and “same-security-traffic permit intra-interface”.
Hi Ye Yint,
What kind of issues are you facing? Routing on the ASA is pretty limited.
Rene
Hi Rene,
I’m a newbie in need of config help involving a catalyst 4500x and ASA5512X.
I will be managing 4500x that is connected to my DataCenter provider’s ASA 5512x.
Here are the details:
All internal routing is done on the 4500x.
Inter VLAN on the switch (VLAN 500, VLAN 69, VLAN xxx, VLAN xxy)
VLAN 500 - 4500x TE1/1/17 <==> ASA Ge0/1 (Primary) and 4500x TE2/1/17 <==> ASA Ge0/1 (Secondary).
-- 10.10.10.3 / 29
4500x config:
interface TenGigabitEthernet1/1/17
switchport mode trunk
switchport trunk allowed vlan 500
interface TenGigabitEthernet2/1/17
switchport mode trunk
switchport trunk allowed vlan 500
--VLAN 69 (192.168.69.2 /24)
Interface TenGigabitEthernet1/1/4
description Test Server
switchport access vlan 69
switchport mode access
spanning-tree portfast
interface Vlan69
ip address 192.168.69.2 255.255.255.0
interface Vlan500
ip address 10.10.10.3 255.255.255.248
-- Default gateway 10.10.10.1
****************
--ASA 5512x config:
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.500
vlan 500
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2
access-list inside_in extended permit ip 192.168.69.0 255.255.255.0 any
object network obj-192.168.69.0-24
nat (inside,outside) dynamic interface
route inside 192.168.69.0 255.255.255.0 192.168.69.2 1
******************
My DC provider claims that everything is setup on their end for internet access, however I am unable to connect to the outside from a server behind the 4500x.
From the 4500x, I can ping 10.10.10.1 and .2.
I can’t ping any public address.
No internet access from the server.
What’s missing or needs to change on either ends? Is trunking on the ASA really necessary?
Please advise.
Thanks!
Hi @akosiron
If you can ping from your server to the INSIDE ip address of your ASA, then at least you know your trunks/vlans are OK.
The only reason to use a trunk, is if you need multiple VLANs between your ASA and switch. I see you only use VLAN 500, so it’s not needed unless you plan to add more VLANs later.
The ASA has this route:
route inside 192.168.69.0 255.255.255.0 192.168.69.2 1
How does it know how to get to 192.168.69.2? It’s telling that to reach 192.168.69.0/24, you have to get to 192.168.69.2 (chicken and egg problem). The next hop should be 10.10.10.3, the IP address you use on your switch for the VLAN 500 interface.
That’s the one the ASA knows how to reach:
interface GigabitEthernet0/1.500
vlan 500
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2
Rene