Solved

CAn't set up Vlans on 5510 Firewall

Posted on 2011-02-23
7
382 Views
Last Modified: 2012-05-11
When I try to enter the command to set up a vlan (config# int vlan XX) the vlan is marked with ^ as invalid.  I need to set up a Vlan on th einside and the other on the outside.  What's the problem?  Also, the ASA 5510 is setup as a L3 (router).  

Do I have to setup the vlan using a subnet of an existing ethernet interface?  I have two defined:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address yyy.yyy.yyy.yyy 255.255.255.0
0
Comment
Question by:elliotsegal
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 34966505
ASA ports are already routed ports  meaning every interface has to be in its own subnet (LAN) not overlapping with other subnets assigned to other ports.

For your need, e0/0 and e0/1 are already and should be on different (LAN/VLAN/subnet)

hope this helps :-)
0
 

Author Comment

by:elliotsegal
ID: 34966593
ffleisma,

I think I understand, but I'm still a bit confused here.  I thought what I had set up would work, but when I try to set up a vlan I keep getting the ^ mark on the "v" in vlan an dth emessage that the command is invalid.  

Some research I've done shows sample configs with e0/0.1 used to set up the vlan.

Is what you're telling me mean that I don't need to do this because the e/0/ and e0/1 are already on different subnets?  

What I'm trying to do is have the access to 10.4.x.xxx/24 and 10.x.x.x/24 vlans connected through a 3650 switch and then to a 4057 Core switch.

The application here is to allow certain access between an Enterprise network and a SCADA/EMS network.

I have an exsting 5505 set up and working with VLANS on it.  Is the setup different on the 5510?

Thanks
Thanks and sorry for my being so ignorant on the subject.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34966660
The setup on 5510 is very different than 5505.
On the 5510, you have to trunk a port on the switch, and use sub-interfaces on the eth0/1
Example:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.5.254 255.255.255.0

interfaceEthernet0/1.15
 vlan 15
 nameif vlan15
 security-level 15
 ip address 172.17.254.1 255.255.255.0
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34967410
The performance would be much better if you did the inter-vlan routing on the core switch rather than the ASA.....just my .02
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34968046
Rick, I would agree with you generally, but since one side is a SCADA network, security of it as a protected network on its own is probably more important than performance. I doubt that there will be much traffic between the Corp LAN and the SCADA network.
0
 

Author Comment

by:elliotsegal
ID: 34969232
Irmoore and Rick,

thanks for the feedback.  True, from what I've been reseraching it would be better to vlan trunk on the Core switch, but as I stated the config we have and as Irmoore pointed out, it's more of a security issue than performance.  We have Federal (FERC and NERC) security and CSSP requirements we have to meet or exceed because of the SCADA (supervisory controls & data acquisition) and Energy Management Systems (EMS) network that should stay segregated as much as possible from our Corp LAN/WAN.  

I'll try the config this morning -- have to love CISCO stayingtrue to form with variation in configs and capabilities within the same series of appliances (my bad for not being smarter on it and assuming it would setup like the 5505).  I think it may be time to look closer at Juniper's appliances :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34975779
You have to understand that the little ASA 5505 is a small-business model that was designed more for small offices of 10 users or less that needed more features of the big brothers. It is the only model that has a switch blade on board. All other ASA 55x0 models work pretty  much exactly the same.
I can't count the number of junipers, sonicwalls, watchguards, etc that i've helped remove  and replace with ASA's.. I've never had anyone end up not liking the ASA enough to replace it with anything else.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now