ASA5505 and Multiple Vlans

I've a configuration question about my ASA5505, I've setup the box and all the basics *seems* to work. What we now will achieve as a next step is the following, but let me first explain the current situation:

2 Vlans:

INSIDE VLAN (Security Level 100, ports eth 0/1-0/7 , IP
OUTSIDE VLAN (Security Level 0, ports eth0/0, IP

We'll now create a couple of vlans for diferent organizations, and 1 vlan for the servers / access point,
Peoples in an organisation cannot communicate with a device in another organization, but they can only go on the WWW and communicate with the server vlan.

I can create in the ASDM multiple interfaces, but I need to assign them all an IP address and a physical port on the ASA, but we'll assign the same port on the asa for all the vlans.

What we also want is that we'll share the same subnet in alle the vlans (so in all the vlans we use the 192.168.20.x/24) .

My question is: how can I achieve this, create multiple VLAN'S on 1 interface and share the same subnet over alle the vlan's.

I hopy my explanation of the problem is clear enough, if not I'll hear it!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
So If I understand you correctly you want to say add 5 more vlans for example and each vlan will be on the / 24 network?

If that is the case that would be invalid.   Each subnet needs to have its own IP address space.  
ezjurgenAuthor Commented:
Yes indeed, that is what we want, you mean that each vlan needs it own network range ?
I've read today that you can do it as follow:

- Create vlans on Cisco switch
- On the ASA 'trunk' the differt VLANs to 1 physical port.

But I don't know that that is correct
ezjurgenAuthor Commented:
I've just found the following article: at page 11 that explains what I mean with my previous content, I've tried to do this , but we've only a basic license, so we're not able to test this out.
In our production environment we'll use a asa 5510, do we also need to buy a security plus license to use the vlan trunking?
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Ken BooneNetwork ConsultantCommented:
Yes that document shows you how to set up the trunk.  The purpose of a trunk is to carry multiple VLANs through a single physical port.  The issues though is that each vlan needs to have its own unique IP network range assigned to it.   You will need security plus on a 5505 to run trunking, but you will be able to run trunking on the 5510 without it.

Here is a document that shows the comparison of those models:

ezjurgenAuthor Commented:
I don't understand the part of "that each vlan needs to have its own unique ip network range" I'm not that familar with Cisco switches, but at HP you need only to tag or untagg a port to a vlan, an that's it..

We'll create 5 vlans:

- Organization 1
- Organization 2
- ....
- Organization 5

and 1 -let's call it management vlan- with there in all the servers, so in total we've 6 vlans, in the management VLAN we'll install our DHCP server, and we'll that all clients in each organization can use this DHCP server, so they will all use the same subnet.

This is also what I mean with all vlans will use the same subnet, we'll not create separate networks for each vlan.

I hope this is clear enough.
Ken BooneNetwork ConsultantCommented:
Ok so here is the deal.  BTW, this is not a cisco switch think, this is just a networking thing.  The problem isn't how to trunk.  Basically on HP you untag the native vlan and tag everything else going across the trunk.  That is just the layer 2 component.  The issue is that you want to use the same layer 3 network on all of the different  VLANs which is not allowed.  When you create a VLAN you are creating a virtual switch lets say.  When you create another VLAN you are creating another virtual switch that is NOT connected to the first virtual switch.  They are two distinct separate networks.  The only way these two networks can communicate is through a layer 3 device, i.e. a router or firewall interface.   Layer 3 devices connect DIFFERENT layer 3 networks via routing.  So a layer 2 vlan is tied to a unique layer 3 network.

Lets look at it this way:

outside Interface  ------  Firewall    ---------   vlan 1  192.168.20.x
                                                        ---------  vlan 2   192.168.20.x
                                                        ---------  vlan 3   192.168.20.x
                                                        ---------  vlan 4   192.168.20.x

I guess after looking at this the ASA will not allow you to use an ip address on a particular network range  on more than one interface.  My point was that as a packet comes in destined for the 192.168.20.x network which interface does it go to?  The firewall will have the same route to all interfaces if this was legal.. But it is not and the ASA will not let you do the above.  The minute you try to enter an ip address with 192.168.20.x on vlan 2 it will balk at you.

You are going to have to do something like this:

outside Interface  ------  Firewall    ---------   vlan 1  192.168.20.x
                                                        ---------  vlan 2   192.168.21.x
                                                        ---------  vlan 3   192.168.22.x
                                                        ---------  vlan 4   192.168.23.x

If this still isn't clear let me know.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ezjurgenAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.