Solved

CAn't set up Vlans on 5510 Firewall

Posted on 2011-02-23
7
389 Views
Last Modified: 2012-05-11
When I try to enter the command to set up a vlan (config# int vlan XX) the vlan is marked with ^ as invalid.  I need to set up a Vlan on th einside and the other on the outside.  What's the problem?  Also, the ASA 5510 is setup as a L3 (router).  

Do I have to setup the vlan using a subnet of an existing ethernet interface?  I have two defined:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address yyy.yyy.yyy.yyy 255.255.255.0
0
Comment
Question by:elliotsegal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 34966505
ASA ports are already routed ports  meaning every interface has to be in its own subnet (LAN) not overlapping with other subnets assigned to other ports.

For your need, e0/0 and e0/1 are already and should be on different (LAN/VLAN/subnet)

hope this helps :-)
0
 

Author Comment

by:elliotsegal
ID: 34966593
ffleisma,

I think I understand, but I'm still a bit confused here.  I thought what I had set up would work, but when I try to set up a vlan I keep getting the ^ mark on the "v" in vlan an dth emessage that the command is invalid.  

Some research I've done shows sample configs with e0/0.1 used to set up the vlan.

Is what you're telling me mean that I don't need to do this because the e/0/ and e0/1 are already on different subnets?  

What I'm trying to do is have the access to 10.4.x.xxx/24 and 10.x.x.x/24 vlans connected through a 3650 switch and then to a 4057 Core switch.

The application here is to allow certain access between an Enterprise network and a SCADA/EMS network.

I have an exsting 5505 set up and working with VLANS on it.  Is the setup different on the 5510?

Thanks
Thanks and sorry for my being so ignorant on the subject.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34966660
The setup on 5510 is very different than 5505.
On the 5510, you have to trunk a port on the switch, and use sub-interfaces on the eth0/1
Example:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.5.254 255.255.255.0

interfaceEthernet0/1.15
 vlan 15
 nameif vlan15
 security-level 15
 ip address 172.17.254.1 255.255.255.0
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34967410
The performance would be much better if you did the inter-vlan routing on the core switch rather than the ASA.....just my .02
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34968046
Rick, I would agree with you generally, but since one side is a SCADA network, security of it as a protected network on its own is probably more important than performance. I doubt that there will be much traffic between the Corp LAN and the SCADA network.
0
 

Author Comment

by:elliotsegal
ID: 34969232
Irmoore and Rick,

thanks for the feedback.  True, from what I've been reseraching it would be better to vlan trunk on the Core switch, but as I stated the config we have and as Irmoore pointed out, it's more of a security issue than performance.  We have Federal (FERC and NERC) security and CSSP requirements we have to meet or exceed because of the SCADA (supervisory controls & data acquisition) and Energy Management Systems (EMS) network that should stay segregated as much as possible from our Corp LAN/WAN.  

I'll try the config this morning -- have to love CISCO stayingtrue to form with variation in configs and capabilities within the same series of appliances (my bad for not being smarter on it and assuming it would setup like the 5505).  I think it may be time to look closer at Juniper's appliances :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34975779
You have to understand that the little ASA 5505 is a small-business model that was designed more for small offices of 10 users or less that needed more features of the big brothers. It is the only model that has a switch blade on board. All other ASA 55x0 models work pretty  much exactly the same.
I can't count the number of junipers, sonicwalls, watchguards, etc that i've helped remove  and replace with ASA's.. I've never had anyone end up not liking the ASA enough to replace it with anything else.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question