ASA 5520 8.2 / Sub Interface problems

Hi -

I'm trying to connect an internet circuit to  my ASA 5520 running 8.2 code. I know the circuit is live and working properly, because when I tie it in via a physical interface and configure it, it works great.

What I want to do, is use a sub interface for this connection. The reason I want to do this, is because I want to multiple connection over time, and see no reason why they can't share the same copper and switch ports. This internet and the ASA feed right into a dumb switch.

Here is the interface configuration as I have it now (not-working), the physical port is 1/2 and the sub-interface is 1/2.2.

interface GigabitEthernet1/2
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet1/2.2
 vlan 2
 nameif INTERNET
 security-level 0
 ip address 192.168.98.2 255.255.255.0

I have all the other bits configured correction, NAT and routing, I think it's something I'm unaware of, as I've never setup sub-interfaces before.

Thanks.
Vjz1Asked:
Who is Participating?
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Yes, you will need a managed switch.

For the ISP side of the switch, you would need to set the port to an untagged (access) port, not a tagged (trunk) port.

This will put the ASA and ISP in the same VLAN.  There will be no routing.
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
The internet would need to be tagged on the ISP end on VLAN 2.

Alternatively, you can use a managed switch, trunk the connection to the ASA, and have the internet feed into a access port (untagged on the VLAN you want and only that VLAN) on the VLAN you want.
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Additionally, the reason it most likely is not working, is that the ISP is sending an untagged packet but the ASA is expecting a tagged packet.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
Vjz1Author Commented:
Ok so it sounds like I need a managed switch, then have the port that the ASA plugs into, be tagged with the vlan that I assign the sub-interface. Is that right?

I'm not terribly familiar with access ports or trunking ports. Would the internet feed, be in the same vlan on the switch that the ASA is in?

I guess I'd need put the internet on one vlan, the same vlan ID as I'll use on the sub-interface, then have the ASA in a different vlan and then route between them with layer 3 routing?

Not sure I 100% understand.

Thanks!
0
 
Vjz1Author Commented:
Oh ok, I get that, I don't do a ton with switches so I don't have the terminology down.

I actually tried a managed switch first, but I wondered if it was causing more trouble, that's why I switched to a dumb switch. Oops.

I can do that. I can set the ISP port to untagged (in fact it already is), and apply the vlan id tag to the ASA port.

Cool. Thanks a lot. I may not be able to try this today but I understand so I'll close the question now.

Thanks!
0
 
Vjz1Author Commented:
Thanks!
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Make sure the ISP port is untagged on the VLAN 2
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.