ASA 5520 8.2 / Sub Interface problems

Hi -

I'm trying to connect an internet circuit to  my ASA 5520 running 8.2 code. I know the circuit is live and working properly, because when I tie it in via a physical interface and configure it, it works great.

What I want to do, is use a sub interface for this connection. The reason I want to do this, is because I want to multiple connection over time, and see no reason why they can't share the same copper and switch ports. This internet and the ASA feed right into a dumb switch.

Here is the interface configuration as I have it now (not-working), the physical port is 1/2 and the sub-interface is 1/2.2.

interface GigabitEthernet1/2
 no nameif
 security-level 0
 no ip address
interface GigabitEthernet1/2.2
 vlan 2
 nameif INTERNET
 security-level 0
 ip address

I have all the other bits configured correction, NAT and routing, I think it's something I'm unaware of, as I've never setup sub-interfaces before.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
The internet would need to be tagged on the ISP end on VLAN 2.

Alternatively, you can use a managed switch, trunk the connection to the ASA, and have the internet feed into a access port (untagged on the VLAN you want and only that VLAN) on the VLAN you want.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Additionally, the reason it most likely is not working, is that the ISP is sending an untagged packet but the ASA is expecting a tagged packet.
Vjz1Author Commented:
Ok so it sounds like I need a managed switch, then have the port that the ASA plugs into, be tagged with the vlan that I assign the sub-interface. Is that right?

I'm not terribly familiar with access ports or trunking ports. Would the internet feed, be in the same vlan on the switch that the ASA is in?

I guess I'd need put the internet on one vlan, the same vlan ID as I'll use on the sub-interface, then have the ASA in a different vlan and then route between them with layer 3 routing?

Not sure I 100% understand.

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Yes, you will need a managed switch.

For the ISP side of the switch, you would need to set the port to an untagged (access) port, not a tagged (trunk) port.

This will put the ASA and ISP in the same VLAN.  There will be no routing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vjz1Author Commented:
Oh ok, I get that, I don't do a ton with switches so I don't have the terminology down.

I actually tried a managed switch first, but I wondered if it was causing more trouble, that's why I switched to a dumb switch. Oops.

I can do that. I can set the ISP port to untagged (in fact it already is), and apply the vlan id tag to the ASA port.

Cool. Thanks a lot. I may not be able to try this today but I understand so I'll close the question now.

Vjz1Author Commented:
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Make sure the ISP port is untagged on the VLAN 2
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.