• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8514
  • Last Modified:

creating virtual or sub interface on a Cisco ASA 5505

I'm wanting to create a sub interface or a logical interface on a ASA 5505.  I tried the commands:

interface Ethernet 0/1.3
 vlan 3
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0

 and the 'interface Ethernet 0/1.3' doesn't work.  What exact syntax do I use to accomplish the functionality of the commands listed above?  I got the above to work on my 5510, but not my 5505.  My 5505 is running v8.0.2
0
gopher_49
Asked:
gopher_49
1 Solution
 
charan_jeetsinghCommented:
U NEED TO USE "NO SHUTDOWN"

ALSO ON THE SWITCH IS THE TRUNKING ENABLED ??
0
 
lrmooreCommented:
The 5505 doesn't use sub-interfaces because it is a switch. Just put one of the switchport interfaces into vlan 3

interface vlan 3
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0
 no shut
interface Ethernet 0/1
 switchport access vlan 3
 no shut

This would be a physical connection to your switch into an access port in vlan 3 and not a trunk port with the switch.


0
 
gopher_49Author Commented:
So,

I would set the port that the ASA is plugged into to be untagged for VLAN id1 and tagged for vlan id3?  Correct?  Ethetnet 0/1 would then be handling traffic for both VLANs id 1 and id3...  In return allowing my access point to have two SSID's.  One for vlan id1 and one for vlan id3.  They would both use the same outside interface...  (you helped me a few days ago on my 5510)  I got a little lost on the 5505 for it's a completely different beast...
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
gopher_49Author Commented:
lrmoore,

I figured this out last night, however, I have the below syntax.  It made me add the 'no forward interface Vlan1' due to licensing.  Below is the exact syntax I have for my interfaces.

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.93.158.129 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3

This above syntax with the switch config I mentioned above should do it.  The switch config mentioned above is how I had my ProCurve switches setup when using the 5510 and the 506e for this type of config.
0
 
gopher_49Author Commented:
lrmoore:,

What should I change for the config above doesn't work?!
0
 
lrmooreCommented:
Try this:
interface Ethernet0/1
 no switchport access vlan 3
 switchport mode trunk

This will connect to your switch's trunk port just like the old 506e
0
 
gopher_49Author Commented:
So,

If I were to use the above syntax I could in return use two different SSID's on my access point.  The private SSID going to vlan id 1 and the public SSID going to vlan id 3?  I assume I configure the port the same as my other switch...
0
 
lrmooreCommented:
Yep..
0
 
gopher_49Author Commented:
What about the other commands.  Use the same commands that I had listed in my 506e?  Please send me all commands needed.
0
 
lrmooreCommented:
OK, to put it all together

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.93.158.129 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif wireless
 security-level 50
 ip address 192.168.13.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport mode trunk

Connect Ethernet 0/1 to the switchport that is also configured as a trunk port.
Done.
0
 
gopher_49Author Commented:
sweet.  I'll give it a shot this evening or tomorrow.

0
 
lrmooreCommented:
Also make SURE that you do NOT have an internal VLAN 2 on the switch that also gets trunked out to the ASA...
0
 
gopher_49Author Commented:
Please ellaborate more on your last statement.  The port that the AP is plugged into is tagged for the below vlan's:

1 2 3

Vlan 1 is my default, vlan 2 is for the AP, and vlan 3 is unused.  

The port that the PIX is plugged into is untagged for 1 ad NOT TAGGED for 2 and Tagged for 3

Is this okay?
0
 
lrmooreCommented:
I think that using vlan2 for "outside" on the ASA and having a vlan 2 inside on the switch, tagged or not connected to a trunk port is asking for trouble.
I would suggest not using vlan2 on the switch for the wireless, but rather use vlan 3, tagged, and not use vlan 2 at all.
0
 
gopher_49Author Commented:
okay.  Also, I get the below error when using the below command:

interface Ethernet0/1
 switchport mode trunk

ERROR: Trunk port is not supported with this license -

Which license do I need to order?  I'll order tomorrow in the morning.
0
 
lrmooreCommented:
You might have to contact Cisco TAC on that one. All references I can find do not mention anything about licensing. There are not that many license options/choices
0
 
gopher_49Author Commented:
okay.  I'll email my Cisco rep.  

thanks.
0
 
ciscomeCommented:
Hi,

I have the same problem, I try to configure the interface Ethernet like mode trunk and the output is:

config-if)# switchport mode trunk
ERROR: Trunk port is not supported with this license

How did you solve this issue?

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now