How to create a sub-interface on ASA firewall

How to create a sub-interface on ASA firewall

This is handy when you run out of physical interfaces but need more network subnets, you can carve one interface into separate virtual interfaces using VLAN tagging

ASA Config:

interface GigabitEthernet0/1
 duplex full
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/1.205
 description Department1
 vlan 205
 nameif 205
 security-level 100
 ip address 10.1.1.254 255.255.255.0

interface GigabitEthernet0/1.200
 description Department2
 vlan 200
 nameif 200
 security-level 95
 ip address 10.2.2.254 255.255.255.0

interface GigabitEthernet0/3
 duplex full
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/3.201
 description Department3
 vlan 201
 nameif 201
 security-level 90
 ip address 10.3.3.254 255.255.255.0

interface GigabitEthernet0/3.202
 description Department4
 vlan 202
 nameif 202
 security-level 85
 ip address 10.4.4.254 255.255.255.0

I then link the firewall interfaces to the Cisco switch using trunk links, tagging all the VLANS I need

ASA – interface GigabitEthernet0/1 >> Cisco Switch interface GigabitEthernet1/0/47

ASA – interface GigabitEthernet0/3 >> Cisco Switch interface GigabitEthernet1/0/48

Switch config:

!
 interface GigabitEthernet1/0/47
  switchport trunk allowed vlan 200,205
  switchport mode trunk
  spanning-tree portfast
 !
 interface GigabitEthernet1/0/48
  switchport trunk allowed vlan 201,202
  switchport mode trunk
  spanning-tree portfast
 !

Assign end points to the correct VLAN

!
 interface GigabitEthernet2/0/3
  switchport access vlan 200
  spanning-tree portfast
 !
 interface GigabitEthernet2/0/4
  switchport access vlan 202
  spanning-tree portfast
 !

Change any Native VLAN you may need on the trunks links, remember to add  the native to the ‘allowed vlan’ aswell

! 
interface GigabitEthernet2/0/22  
switchport trunk native vlan 1010  
switchport trunk allowed vlan 200-205,1010  
switchport mode trunk  
spanning-tree portfast 
!

Leave a Reply

Your email address will not be published. Required fields are marked *