Solved

CAn't set up Vlans on 5510 Firewall

Posted on 2011-02-23
7
380 Views
Last Modified: 2012-05-11
When I try to enter the command to set up a vlan (config# int vlan XX) the vlan is marked with ^ as invalid.  I need to set up a Vlan on th einside and the other on the outside.  What's the problem?  Also, the ASA 5510 is setup as a L3 (router).  

Do I have to setup the vlan using a subnet of an existing ethernet interface?  I have two defined:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address yyy.yyy.yyy.yyy 255.255.255.0
0
Comment
Question by:elliotsegal
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 34966505
ASA ports are already routed ports  meaning every interface has to be in its own subnet (LAN) not overlapping with other subnets assigned to other ports.

For your need, e0/0 and e0/1 are already and should be on different (LAN/VLAN/subnet)

hope this helps :-)
0
 

Author Comment

by:elliotsegal
ID: 34966593
ffleisma,

I think I understand, but I'm still a bit confused here.  I thought what I had set up would work, but when I try to set up a vlan I keep getting the ^ mark on the "v" in vlan an dth emessage that the command is invalid.  

Some research I've done shows sample configs with e0/0.1 used to set up the vlan.

Is what you're telling me mean that I don't need to do this because the e/0/ and e0/1 are already on different subnets?  

What I'm trying to do is have the access to 10.4.x.xxx/24 and 10.x.x.x/24 vlans connected through a 3650 switch and then to a 4057 Core switch.

The application here is to allow certain access between an Enterprise network and a SCADA/EMS network.

I have an exsting 5505 set up and working with VLANS on it.  Is the setup different on the 5510?

Thanks
Thanks and sorry for my being so ignorant on the subject.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34966660
The setup on 5510 is very different than 5505.
On the 5510, you have to trunk a port on the switch, and use sub-interfaces on the eth0/1
Example:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.5.254 255.255.255.0

interfaceEthernet0/1.15
 vlan 15
 nameif vlan15
 security-level 15
 ip address 172.17.254.1 255.255.255.0
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34967410
The performance would be much better if you did the inter-vlan routing on the core switch rather than the ASA.....just my .02
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34968046
Rick, I would agree with you generally, but since one side is a SCADA network, security of it as a protected network on its own is probably more important than performance. I doubt that there will be much traffic between the Corp LAN and the SCADA network.
0
 

Author Comment

by:elliotsegal
ID: 34969232
Irmoore and Rick,

thanks for the feedback.  True, from what I've been reseraching it would be better to vlan trunk on the Core switch, but as I stated the config we have and as Irmoore pointed out, it's more of a security issue than performance.  We have Federal (FERC and NERC) security and CSSP requirements we have to meet or exceed because of the SCADA (supervisory controls & data acquisition) and Energy Management Systems (EMS) network that should stay segregated as much as possible from our Corp LAN/WAN.  

I'll try the config this morning -- have to love CISCO stayingtrue to form with variation in configs and capabilities within the same series of appliances (my bad for not being smarter on it and assuming it would setup like the 5505).  I think it may be time to look closer at Juniper's appliances :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34975779
You have to understand that the little ASA 5505 is a small-business model that was designed more for small offices of 10 users or less that needed more features of the big brothers. It is the only model that has a switch blade on board. All other ASA 55x0 models work pretty  much exactly the same.
I can't count the number of junipers, sonicwalls, watchguards, etc that i've helped remove  and replace with ASA's.. I've never had anyone end up not liking the ASA enough to replace it with anything else.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now