Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

CAn't set up Vlans on 5510 Firewall

When I try to enter the command to set up a vlan (config# int vlan XX) the vlan is marked with ^ as invalid.  I need to set up a Vlan on th einside and the other on the outside.  What's the problem?  Also, the ASA 5510 is setup as a L3 (router).  

Do I have to setup the vlan using a subnet of an existing ethernet interface?  I have two defined:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address yyy.yyy.yyy.yyy 255.255.255.0
0
elliotsegal
Asked:
elliotsegal
1 Solution
 
ffleismaCommented:
ASA ports are already routed ports  meaning every interface has to be in its own subnet (LAN) not overlapping with other subnets assigned to other ports.

For your need, e0/0 and e0/1 are already and should be on different (LAN/VLAN/subnet)

hope this helps :-)
0
 
elliotsegalAuthor Commented:
ffleisma,

I think I understand, but I'm still a bit confused here.  I thought what I had set up would work, but when I try to set up a vlan I keep getting the ^ mark on the "v" in vlan an dth emessage that the command is invalid.  

Some research I've done shows sample configs with e0/0.1 used to set up the vlan.

Is what you're telling me mean that I don't need to do this because the e/0/ and e0/1 are already on different subnets?  

What I'm trying to do is have the access to 10.4.x.xxx/24 and 10.x.x.x/24 vlans connected through a 3650 switch and then to a 4057 Core switch.

The application here is to allow certain access between an Enterprise network and a SCADA/EMS network.

I have an exsting 5505 set up and working with VLANS on it.  Is the setup different on the 5510?

Thanks
Thanks and sorry for my being so ignorant on the subject.
0
 
lrmooreCommented:
The setup on 5510 is very different than 5505.
On the 5510, you have to trunk a port on the switch, and use sub-interfaces on the eth0/1
Example:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.5.254 255.255.255.0

interfaceEthernet0/1.15
 vlan 15
 nameif vlan15
 security-level 15
 ip address 172.17.254.1 255.255.255.0
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Rick_at_ptscintiCommented:
The performance would be much better if you did the inter-vlan routing on the core switch rather than the ASA.....just my .02
0
 
lrmooreCommented:
Rick, I would agree with you generally, but since one side is a SCADA network, security of it as a protected network on its own is probably more important than performance. I doubt that there will be much traffic between the Corp LAN and the SCADA network.
0
 
elliotsegalAuthor Commented:
Irmoore and Rick,

thanks for the feedback.  True, from what I've been reseraching it would be better to vlan trunk on the Core switch, but as I stated the config we have and as Irmoore pointed out, it's more of a security issue than performance.  We have Federal (FERC and NERC) security and CSSP requirements we have to meet or exceed because of the SCADA (supervisory controls & data acquisition) and Energy Management Systems (EMS) network that should stay segregated as much as possible from our Corp LAN/WAN.  

I'll try the config this morning -- have to love CISCO stayingtrue to form with variation in configs and capabilities within the same series of appliances (my bad for not being smarter on it and assuming it would setup like the 5505).  I think it may be time to look closer at Juniper's appliances :)
0
 
lrmooreCommented:
You have to understand that the little ASA 5505 is a small-business model that was designed more for small offices of 10 users or less that needed more features of the big brothers. It is the only model that has a switch blade on board. All other ASA 55x0 models work pretty  much exactly the same.
I can't count the number of junipers, sonicwalls, watchguards, etc that i've helped remove  and replace with ASA's.. I've never had anyone end up not liking the ASA enough to replace it with anything else.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now