Firewall – ASA5505 switchport command

cisco-asafirewall

I've been learning how to use ASA5505 but I faced this thing: When I try to assign Ethernet0/1 with vlan 1, which is the inside network, I see no change in the answer of sh int ip bri or sh run. Why this could be happening? I do not see anything wrong with my firewall.

Best Answer

VLAN 1 (switchport access vlan 1) is the default. As such, it will not normally show in the config.

show switch vlan is the command to see what vlans are defined, and what ports are assigned to them.

The interface list will never show any IP configuration for the ethernet ports because they are part of a switch. (and you cannot no switchport them into routed interfaces.) All layer-3 configuration is via VLAN interfaces.

Related Solutions

Cisco – ASA 5505 routing issues

I would recommend using the switch as the default gateway for all of your subnets. For your scenario the default gateway of hosts on Vlan 3 should be set to 192.168.3.2 and hosts on Vlan 2 should be set to 192.168.2.254.

Cisco ASA 5505 – VPN not able to access certain network

I had to make a similar change recently. I needed to add two additional subnets. Though I used CLI rather than ASDM. With version 9.1, I created some new objects for the subnets and then it was just a matter of adding the additional subnets to the split-tunnel ACL (if used) as well as adding additional NAT rules.

For example:

object network {REMOTE_VPN_USER_SUBNET}
 subnet 10.0.1.0 255.255.255.0
object network {EXISTING_VPN_ACCESSIBLE_SUBNET_1}
 subnet 10.0.2.0 255.255.255.0
object network {NEW_VPN_ACCESSIBLE_SUBNET_2}
 subnet 10.0.3.0 255.255.254.0
object network {NEW_VPN_ACCESSIBLE_SUBNET_3}
 subnet 10.0.4.0 255.255.255.0

split-tunnel-network-list value {YOUR_SPLIT-TUNNEL_LIST}
access-list {YOUR_SPLIT-TUNNEL_LIST} standard permit 10.0.1.0 255.255.255.0 
access-list {YOUR_SPLIT-TUNNEL_LIST} standard permit 10.0.2.0 255.255.255.0 
access-list {YOUR_SPLIT-TUNNEL_LIST} standard permit 10.0.3.0 255.255.255.0 

nat (RELEVANT_INTERFACE_OR_VLAN_NAME,outside) source static {EXISTING_VPN_ACCESSIBLE_SUBNET_1} {EXISTING_VPN_ACCESSIBLE_SUBNET_1} destination static {REMOTE_VPN_USER_SUBNET} {REMOTE_VPN_USER_SUBNET} no-proxy-arp route-lookup
nat (RELEVANT_INTERFACE_OR_VLAN_NAME,outside) source static {NEW_VPN_ACCESSIBLE_SUBNET_2} {NEW_VPN_ACCESSIBLE_SUBNET_2} destination static {REMOTE_VPN_USER_SUBNET} {REMOTE_VPN_USER_SUBNET} no-proxy-arp route-lookup
nat (RELEVANT_INTERFACE_OR_VLAN_NAME,outside) source static {NEW_VPN_ACCESSIBLE_SUBNET_3} {NEW_VPN_ACCESSIBLE_SUBNET_3} destination static {REMOTE_VPN_USER_SUBNET} {REMOTE_VPN_USER_SUBNET} no-proxy-arp route-lookup

Best Answer

Related Solutions

Cisco – ASA 5505 routing issues

Cisco ASA 5505 – VPN not able to access certain network

Related Topic