?
Solved

creating virtual or sub interface on a Cisco ASA 5505

Posted on 2007-09-27
18
Medium Priority
?
8,160 Views
Last Modified: 2012-11-19
I'm wanting to create a sub interface or a logical interface on a ASA 5505.  I tried the commands:

interface Ethernet 0/1.3
 vlan 3
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0

 and the 'interface Ethernet 0/1.3' doesn't work.  What exact syntax do I use to accomplish the functionality of the commands listed above?  I got the above to work on my 5510, but not my 5505.  My 5505 is running v8.0.2
0
Comment
Question by:gopher_49
18 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 19976995
U NEED TO USE "NO SHUTDOWN"

ALSO ON THE SWITCH IS THE TRUNKING ENABLED ??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19977993
The 5505 doesn't use sub-interfaces because it is a switch. Just put one of the switchport interfaces into vlan 3

interface vlan 3
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0
 no shut
interface Ethernet 0/1
 switchport access vlan 3
 no shut

This would be a physical connection to your switch into an access port in vlan 3 and not a trunk port with the switch.


0
 

Author Comment

by:gopher_49
ID: 19981924
So,

I would set the port that the ASA is plugged into to be untagged for VLAN id1 and tagged for vlan id3?  Correct?  Ethetnet 0/1 would then be handling traffic for both VLANs id 1 and id3...  In return allowing my access point to have two SSID's.  One for vlan id1 and one for vlan id3.  They would both use the same outside interface...  (you helped me a few days ago on my 5510)  I got a little lost on the 5505 for it's a completely different beast...
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 

Author Comment

by:gopher_49
ID: 19982020
lrmoore,

I figured this out last night, however, I have the below syntax.  It made me add the 'no forward interface Vlan1' due to licensing.  Below is the exact syntax I have for my interfaces.

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.93.158.129 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3

This above syntax with the switch config I mentioned above should do it.  The switch config mentioned above is how I had my ProCurve switches setup when using the 5510 and the 506e for this type of config.
0
 

Author Comment

by:gopher_49
ID: 19993186
lrmoore:,

What should I change for the config above doesn't work?!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19993855
Try this:
interface Ethernet0/1
 no switchport access vlan 3
 switchport mode trunk

This will connect to your switch's trunk port just like the old 506e
0
 

Author Comment

by:gopher_49
ID: 19994224
So,

If I were to use the above syntax I could in return use two different SSID's on my access point.  The private SSID going to vlan id 1 and the public SSID going to vlan id 3?  I assume I configure the port the same as my other switch...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19994387
Yep..
0
 

Author Comment

by:gopher_49
ID: 19994394
What about the other commands.  Use the same commands that I had listed in my 506e?  Please send me all commands needed.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19994427
OK, to put it all together

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.93.158.129 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport mode trunk

Connect Ethernet 0/1 to the switchport that is also configured as a trunk port.
Done.
0
 

Author Comment

by:gopher_49
ID: 19994459
sweet.  I'll give it a shot this evening or tomorrow.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19994480
Also make SURE that you do NOT have an internal VLAN 2 on the switch that also gets trunked out to the ASA...
0
 

Author Comment

by:gopher_49
ID: 20052687
Please ellaborate more on your last statement.  The port that the AP is plugged into is tagged for the below vlan's:

1 2 3

Vlan 1 is my default, vlan 2 is for the AP, and vlan 3 is unused.  

The port that the PIX is plugged into is untagged for 1 ad NOT TAGGED for 2 and Tagged for 3

Is this okay?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20052781
I think that using vlan2 for "outside" on the ASA and having a vlan 2 inside on the switch, tagged or not connected to a trunk port is asking for trouble.
I would suggest not using vlan2 on the switch for the wireless, but rather use vlan 3, tagged, and not use vlan 2 at all.
0
 

Author Comment

by:gopher_49
ID: 20053187
okay.  Also, I get the below error when using the below command:

interface Ethernet0/1
 switchport mode trunk

ERROR: Trunk port is not supported with this license -

Which license do I need to order?  I'll order tomorrow in the morning.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20054138
You might have to contact Cisco TAC on that one. All references I can find do not mention anything about licensing. There are not that many license options/choices
0
 

Author Comment

by:gopher_49
ID: 20056445
okay.  I'll email my Cisco rep.  

thanks.
0
 

Expert Comment

by:ciscome
ID: 38614790
Hi,

I have the same problem, I try to configure the interface Ethernet like mode trunk and the output is:

config-if)# switchport mode trunk
ERROR: Trunk port is not supported with this license

How did you solve this issue?

Thanks
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question