You are here: Home » Cisco » ASA Firewall

Cisco ASA VLANs and Sub-Interfaces

Each interface on a Cisco ASA firewall is a security zone so normally this means that the number of security zones is limited to the number of physical interfaces that we have. For example, the ASA 5510 has 4 physical interfaces and often you will only see the following three security zones:

Inside
Outside
DMZ

For a simple scenario this is more than enough but sometimes it’s useful to create additional security zones. For example, maybe you don’t want one “big” DMZ with all your servers but more separation. You could create a security zone with all your mail servers, another one with all the DNS servers and one more with all web servers. This is a good security practice but we’ll need more interfaces to accomplish this.

Luckily the ASA supports trunking and logical interfaces which means we can create multiple logical sub-interfaces on a single physical interface. Each sub-interface can be assigned to a different security zone and they are separated by VLANs.

This means you can create way more than 4 security zones, depending on your ASA model you can create up to 1024 VLANs.

The physical interface on the ASA will become a trunk interface which is not assigned to any security zone. Each sub-interface will be configured for a VLAN, security zone and security level.

Here’s a picture to visualize this:

In the example above we have a Ethernet 0/0 physical interface and two sub-interfaces:

Ethernet 0/0.10 will be used for security zone “INSIDE1” and uses VLAN 10.
Ethernet 0/0.20 will be used for security zone “INSIDE2” and uses VLAN 20.
The physical interface is not configured for any security zone.

Basically this is the same thing as the router on a stick configuration on Cisco IOS routers but on the ASA we also have security zones.

Configuration

Let’s take a look at a configuration example for this. I’ll use the following topology:

On the left side we have our ASA, it’s Ethernet 0/0 interface will be used for trunking. The switch in the middle is connected to two routers, R1 and R2. Each router represents a host in a different security zone:

INSIDE1 which uses VLAN 10 and has a security level of 70.
INSIDE2 which uses VLAN 20 and has a security level of 80.

Let’s start with the ASA configuration…

ASA Configuration

ASA1(config)# interface Ethernet 0/0
ASA1(config-if)# no nameif
ASA1(config-if)# no security-level 
ASA1(config-if)# no ip address 
ASA1(config-if)# no shutdown

The configuration above is the default configuration for an interface on the ASA, there should be no security zone, no security-level and no IP address. Make sure the interface is not in shutdown and we can continue with the sub-interfaces:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
Full Access to our 641 Lessons. More Lessons Added Every Week!
Content created by Rene Molenaar (CCIE #41726)

Give Membership a try - it's just $1 ►

386 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: 802.1Q, Security, Trunk

Forum Replies

Openlearner says:

Question:

Why I can not create sub-interfaces if I have the security plus license?
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled
... Continue reading in our forum
ReneMolenaar says:

Hi Mark,

By default, all traffic from a higher security level (OUTSIDE) to a lower security level (INSIDE) will be dropped. The only thing you have to do is to create an access-list and permit the traffic you want. Take a look at this example:

https://networklessons.com/cisco/asa-firewall/cisco-asa-access-list/

Look for the “Permit Traffic to DMZ” section. Instead of the DMZ, it will be INSIDE for you.

The ASA will use regular routing to select the egress interface. Let’s say you have an INSIDE gi0/1.10 sub-interface with IP address 192.168.1.254/24 on it. If
... Continue reading in our forum
markgosden-eu says:

Hi there again

I have my inside VLANS working a treat on sub interfaces - thanks for all the advice.

What I cannot get working are multiple sub-interfaces on the outside interface. This is my (basic) config that works:

----------
interface GigabitEthernet1/1
description WAN
nameif OUTSIDE
security-level 0
ip address 95.80.38.209 255.255.255.128
no shut
!
interface GigabitEthernet1/2
no ip address
no nameif
no security-level
no shut
!
interface GigabitEthernet1/2.60
description LAN60
vlan 60
nameif INSIDE60
security-level 100
ip address 192.168.60.1 255.255.255
... Continue reading in our forum
akosiron says:
Hi Rene,

I’m a newbie in need of config help involving a catalyst 4500x and ASA5512X.
I will be managing 4500x that is connected to my DataCenter provider’s ASA 5512x.

Here are the details:
All internal routing is done on the 4500x.
Inter VLAN on the switch (VLAN 500, VLAN 69, VLAN xxx, VLAN xxy)

VLAN 500 - 4500x TE1/1/17 <==> ASA Ge0/1 (Primary) and 4500x TE2/1/17 <==> ASA Ge0/1 (Secondary).
-- 10.10.10.3 / 29

4500x config:
```
interface TenGigabitEthernet1/1/17
 switchport mode trunk
 switchport trunk allowed vlan 500

interface TenGigabitEthernet2/1/17
 s
```
... Continue reading in our forum
akosiron says:

Hi Renee,

The issue has been resolved .
The problem was, as you pointed out, is the ASA’s next hop.
I may add more vlans to between asa and 4500x that is why it was trunked.

Thanks.

-RON

38 more replies! Ask a question or join the discussion by visiting our Community Forum