2

We are upgrading from ASA5505 to ASA5506-X, but unlike the ASA5505, the new firewall ASA5506-X doesn't have switch ports and does not support vlans on physical interfaces. So, I'm creating vlans on its subinterfaces, assigning an IP address to it, but it doesn't communicate with end devices nor using the layer 3 switch to end devices.

Basically, I'm setting the dhcp server directly on the subinterface of asa5506-x, but it doesn't assign an IP address to the computer (when I connect the computer directly to the interface of asa506-x), the same happens using a switch SG500P.

I can work with the routed interface of the asa5506-x (not sub interface), setup the dhcp server, but then I can't create the vlans on it as it's limited and vlan are only supported on the sub-interfaces of this asa5506-x firewall.

Even if we don't care about the dhcp server for a moment, I simply can't login to the ADSM using the IP address of the sub interface, but if an IP address is given to the physical interface, I can login via the ADSM, I can set up the dhcp server but again no vlans on physical interfaces.

Running config of ASA 5506-X (Note: I'm beginner, and there are some commands I know may be wrong as I was testing)

 ASA Version 9.8(1) ! hostname ASA5506-X-1038 enable password $sha512$5000$d7ukqoZ+VKJqA80su8CGvg==$vvuGumvyoey96hWjvIBCtg== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.1.2 255.255.255.0 ! interface GigabitEthernet1/3 nameif protrans-int security-level 100 ip address 192.168.3.3 255.255.255.0 ! interface GigabitEthernet1/3.3 vlan 2 nameif protrans security-level 100 ip address 192.168.2.3 255.255.255.0 ! interface GigabitEthernet1/4 no nameif no security-level no ip address ! interface GigabitEthernet1/5 no nameif no security-level no ip address ! interface GigabitEthernet1/6 no nameif no security-level no ip address ! interface GigabitEthernet1/7 no nameif no security-level no ip address ! interface GigabitEthernet1/8 no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level ip address 172.30.30.22 255.255.255.0 ! boot system disk0:/asa981-lfbff-k8.SPA ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj-protrans subnet 192.168.2.0 255.255.255.0 object network 2 object network real-inside subnet 192.168.2.0 255.255.255.0 object network mapped-inside range 192.168.3.0 192.168.3.254 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu protrans 1500 mtu protrans-int 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-781-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any nat (any,outside) dynamic interface object network obj-protrans nat (protrans,protrans-int) dynamic interface object network real-inside nat (protrans,protrans-int) dynamic interface timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.3.0 255.255.255.0 protrans-int http 192.168.2.0 255.255.255.0 protrans no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 no ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config protrans-int ! dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd enable inside ! dhcpd address 192.168.2.5-192.168.2.254 protrans dhcpd enable protrans ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:d4d1a0e542439235aa114c86f69c683d

Kindly help. Thanks!

Improve this question
5
  • You need to include your configuration, otherwise we can only guess and speculate, which is off-topic here. Commented Aug 23, 2017 at 18:10
  • @RonMaupin, I have included the configuration. Thanks! Commented Aug 23, 2017 at 18:14
  • How is the switch configured? Commented Aug 25, 2017 at 22:36
  • 1
    Sounds like a switch issue. Plugging a PC in directly won't work unless you configure the same vlan on the PC. Commented Aug 27, 2017 at 23:25
  • Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. Commented Dec 31, 2020 at 5:20

4 Answers 4

Reset to default
1

On the Primary interface that the sub interfaces are built under you do not need a IP address. You will build sub-interfaces with IP addresses. 

Interface GigabitEthernet1/3 no nameif no security-level no ip address ! Interface GigabitEthernet1/3.1 Vlan 100 nameif Wired_Network Security-level 100 Ip address 10.10.10.1 255.255.255.0 ! Interace GigabitEthernet1/3.2 Vlan 200 nameif Wireless_network security-level 100 ip address 10.10.20.1 255.255.255.0

Also please ensure the uplink to the L2 switch is a Trunk port to enable multiple Vlans to egress:

interface GigabitEthernet1/0/49 description Uplink to ASA switchport mode trunk

Make sure the L2 switch also has the Vlans in the database.

Apologies for the "..." as when typing it is listed as a line break but the format pushes all the content together, hope this helps !

Improve this answer
2
  • thanks for reply. I want to tell you that I have already done this configuration, but still after setting up the dhcp server on the firewall sub interface it doesn't assign ip addresses to the hosts connected to layer 3 switch. ALso, I can't access the ADSM using the host connected to switch, which is connected to ASA-5506-X sub interface. Although ip address, if given to physical interface, works fine, I can access the ADSM and set a DHCP server, but then I can't create vlans on it. These are two tests I want to perform. Commented Aug 23, 2017 at 23:00
  • I'll add the dhcp part to the answer Commented Aug 24, 2017 at 5:05
0

I believe you can associate the interfaces to a vlan. Command vlan X under each interface. This will tag the traffic. link to vlan guide

For any non-directly connected networks make sure you add routes. Also, make sure you have a default route if one is needed.

These are tagged vlans. Your laptop plugging straight in won't work unless you have a nic that you can assign a vlan to. You need a switch with the vlans tagged to interface the ASA.

Once you get the proper uplink in place your dhcp should work from the ASA. Cisco calls their uplink a trunk. It's an interface that tags the required vlans and expects tags (sometimes one untagged vlan is used on the link).

For anyone that has this issue and the dhcp is on a separate server you'll need a dhcp relay. In a switch we use ip helper. In the ASA it's dhcp relay. Here's an example...

dhcprelay server 198.51.100.2 Outside dhcprelay enable inside dhcprelay setroute inside

Here is the guide to help you with dhcp relay .... click-- dhcp relay guide for ASA

Improve this answer
0

to find the source for you DHCP server you just need to use "show route 198.51.100.2" on this command you can see how your ASA find this ip address. setroute inside its not necesary and "dhcprelay enable " work on subinterfaces you want to use dhcp!

Improve this answer
0

interface GigabitEthernet1/3 nameif protrans-int security-level 100 ip address 192.168.3.3 255.255.255.0

interface GigabitEthernet1/3.3 vlan 2 nameif protrans security-level 100 ip address 192.168.2.3 255.255.255.0

As per your configuration . Interface ethernet 1/3

Cannot be assigned with ip address . It should be no ip address

Example below

Asa(config)# interfàce ethernet 1/3 ASA(config)#no ip address ASA(config)# security level 100 ASA(config)# no shutdown `

ASA(config)#interface ethernet 1/3.3 Asa(config)#ip address 192 .168.2.3 255.255.255.0 ASA(config)# security level 100 ASA(config) no shutdown

Modify configuration as above and try

Configure trunk port in switch allowing all Vlans connecting ASA firewall.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.