Solved

CAn't set up Vlans on 5510 Firewall

Posted on 2011-02-23
7
394 Views
Last Modified: 2012-05-11
When I try to enter the command to set up a vlan (config# int vlan XX) the vlan is marked with ^ as invalid.  I need to set up a Vlan on th einside and the other on the outside.  What's the problem?  Also, the ASA 5510 is setup as a L3 (router).  

Do I have to setup the vlan using a subnet of an existing ethernet interface?  I have two defined:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address yyy.yyy.yyy.yyy 255.255.255.0
0
Comment
Question by:elliotsegal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 34966505
ASA ports are already routed ports  meaning every interface has to be in its own subnet (LAN) not overlapping with other subnets assigned to other ports.

For your need, e0/0 and e0/1 are already and should be on different (LAN/VLAN/subnet)

hope this helps :-)
0
 

Author Comment

by:elliotsegal
ID: 34966593
ffleisma,

I think I understand, but I'm still a bit confused here.  I thought what I had set up would work, but when I try to set up a vlan I keep getting the ^ mark on the "v" in vlan an dth emessage that the command is invalid.  

Some research I've done shows sample configs with e0/0.1 used to set up the vlan.

Is what you're telling me mean that I don't need to do this because the e/0/ and e0/1 are already on different subnets?  

What I'm trying to do is have the access to 10.4.x.xxx/24 and 10.x.x.x/24 vlans connected through a 3650 switch and then to a 4057 Core switch.

The application here is to allow certain access between an Enterprise network and a SCADA/EMS network.

I have an exsting 5505 set up and working with VLANS on it.  Is the setup different on the 5510?

Thanks
Thanks and sorry for my being so ignorant on the subject.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34966660
The setup on 5510 is very different than 5505.
On the 5510, you have to trunk a port on the switch, and use sub-interfaces on the eth0/1
Example:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.5.254 255.255.255.0

interfaceEthernet0/1.15
 vlan 15
 nameif vlan15
 security-level 15
 ip address 172.17.254.1 255.255.255.0
0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34967410
The performance would be much better if you did the inter-vlan routing on the core switch rather than the ASA.....just my .02
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34968046
Rick, I would agree with you generally, but since one side is a SCADA network, security of it as a protected network on its own is probably more important than performance. I doubt that there will be much traffic between the Corp LAN and the SCADA network.
0
 

Author Comment

by:elliotsegal
ID: 34969232
Irmoore and Rick,

thanks for the feedback.  True, from what I've been reseraching it would be better to vlan trunk on the Core switch, but as I stated the config we have and as Irmoore pointed out, it's more of a security issue than performance.  We have Federal (FERC and NERC) security and CSSP requirements we have to meet or exceed because of the SCADA (supervisory controls & data acquisition) and Energy Management Systems (EMS) network that should stay segregated as much as possible from our Corp LAN/WAN.  

I'll try the config this morning -- have to love CISCO stayingtrue to form with variation in configs and capabilities within the same series of appliances (my bad for not being smarter on it and assuming it would setup like the 5505).  I think it may be time to look closer at Juniper's appliances :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34975779
You have to understand that the little ASA 5505 is a small-business model that was designed more for small offices of 10 users or less that needed more features of the big brothers. It is the only model that has a switch blade on board. All other ASA 55x0 models work pretty  much exactly the same.
I can't count the number of junipers, sonicwalls, watchguards, etc that i've helped remove  and replace with ASA's.. I've never had anyone end up not liking the ASA enough to replace it with anything else.
0

Featured Post

 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

 One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question