1.Cisco ASA VLANs and Sub-Interfaces


Each interface on a Cisco ASA firewall is a security zone so normally this means that the number of security zones is limited to the number of physical interfaces that we have. For example, the ASA 5510 has 4 physical interfaces and often you will only see the following three security zones:

  • Inside
  • Outside
  • DMZ

For a simple scenario this is more than enough but sometimes it’s useful to create additional security zones. For example, maybe you don’t want one “big” DMZ with all your servers but more separation. You could create a security zone with all your mail servers, another one with all the DNS servers and one more with all web servers. This is a good security practice but we’ll need more interfaces to accomplish this.

Luckily the ASA supports trunking and logical interfaces which means we can create multiple logical sub-interfaces on a single physical interface. Each sub-interface can be assigned to a different security zone and they are separated by VLANs.

This means you can create way more than 4 security zones, depending on your ASA model you can create up to 1024 VLANs.

The physical interface on the ASA will become a trunk interface which is not assigned to any security zone. Each sub-interface will be configured for a VLAN, security zone and security level.

Here’s a picture to visualize this:

ASA Trunk Physical Sub Interfaces

In the example above we have a Ethernet 0/0 physical interface and two sub-interfaces:

  • Ethernet 0/0.10 will be used for security zone “INSIDE1” and uses VLAN 10.
  • Ethernet 0/0.20 will be used for security zone “INSIDE2” and uses VLAN 20.
  • The physical interface is not configured for any security zone.

Basically this is the same thing as the router on a stick configuration on Cisco IOS routers but on the ASA we also have security zones.

1.Configuration

Let’s take a look at a configuration example for this. I’ll use the following topology:

Cisco ASA Trunk Switch Routers

On the left side we have our ASA, it’s Ethernet 0/0 interface will be used for trunking. The switch in the middle is connected to two routers, R1 and R2. Each router represents a host in a different security zone:

  • INSIDE1 which uses VLAN 10 and has a security level of 70.
  • INSIDE2 which uses VLAN 20 and has a security level of 80.

Let’s start with the ASA configuration…

1.1.ASA Configuration

ASA1(config)# interface Ethernet 0/0
ASA1(config-if)# no nameif
ASA1(config-if)# no security-level 
ASA1(config-if)# no ip address 
ASA1(config-if)# no shutdown

The configuration above is the default configuration for an interface on the ASA, there should be no security zone, no security-level and no IP address. Make sure the interface is not in shutdown and we can continue with the sub-interfaces:

ASA1(config)# interface Ethernet 0/0.10
ASA1(config-subif)# vlan 10
ASA1(config-subif)# nameif INSIDE1
ASA1(config-subif)# security-level 70
ASA1(config-subif)# ip address 192.168.10.254 255.255.255.0
ASA1(config)# interface Ethernet 0/0.20
ASA1(config-subif)# vlan 20
ASA1(config-subif)# nameif INSIDE2
ASA1(config-subif)# security-level 80
ASA1(config-subif)# ip address 192.168.20.254 255.255.255.0

You can pick any number for the sub-interface but it’s convenient to use the same number as the VLAN that you want to use. The vlan command is used to specify to what VLAN the sub-interface belongs. Last but not least, we configure a security zone, security level and IP address for each sub-interface. Let’s continue with the switch configuration…

1.2.Switch Configuration

SW1(config)#interface FastEthernet 0/14
SW1(config-if)#switchport trunk encapsulation dot1q 
SW1(config-if)#switchport mode trunk 
SW1(config-if)#switchport trunk allowed vlan 10,20
SW1(config-if)#no shutdown

The interface connected to the ASA should be in trunk mode. It’s a good security practice to only allow the VLANs that we really want to use…VLAN 10 and 20 in this example. The interfaces that connect the routers should be in access mode:

SW1(config)#interface FastEthernet 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#no shutdown
SW1(config)#interface FastEthernet 0/2
SW1(config-if)#switchport mode access 
SW1(config-if)#switchport access vlan 20
SW1(config-if)#no shutdown

The interface connected to R1 should be in VLAN 10 and R2 should be in VLAN 20. We’ll configure some IP addresses on the router now:

1.3.Router Configuration

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.254
R2(config)#interface FastEthernet 0/0
R2(config-if)#ip address 192.168.20.2 255.255.255.0
R2(config-if)#no shutdown

R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.254

Each router has an IP address and a default route that points to our ASA. Let’s verify our work!

2.Verification

We’ll start with a quick ping from the routers to their default gateway IP address:

R1#ping 192.168.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R2#ping 192.168.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Both routers can reach the ASA, now let’s see if inter-VLAN communication works:

R2#telnet 192.168.10.1
Trying 192.168.10.1 ... Open

R2 is able to reach R1 without any issues…mission accomplished!

I hope this lesson has helped to understand trunking and sub-interfaces on the Cisco ASA firewall. If you have any questions, feel free to leave a comment.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more