Creating Multiple Vlan's - ASA 5500-X Series

It's always super exciting when you can dig into your own network and get more involved in it. If you have a business that might be a different story(*) unless you have a developer environment. In my case, I have a really nice sized environment that I'm looking to expand into other exciting new technologies. To proceed with this I'm going to be setting up sub-interfaced vlans…

When setting up sub-interfaces you will either need to use putty to get into the console of the ASA remotely or utilize the ASDM software. My ASA 5506-X is setup with the Base license right now with a total of 5 vlans. If I want more vlans i'll have to eventually upgrade to the Security Plus license or upgrade to a larger ASA. For the moment were just going to go with vlan 4,10,12, & 15. I have some general pictures below and some snippets of config.

You will see in the config that I have a security level of
100 set on the guest vlan. This is NOT typical but thanks to the Ubiquiti equipment I utilize within my environment the device(s) will only pull DHCP and DNS requests . Any device trying to reach out to the internet first has to follow through to the hotspot authentication page. This page traverses my subnet only to the controller and DHCP/DNS server. Once the device is authenticated all private classes are blocked to access. These are pretty handy when throwing AP's at different family or friends homes like when we through a large family party or a lot of friends come over. I'm eventually going to work on this more thoroughly and whip up a better solution.

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet1/2
description LOCAL NETWORK
nameif inside
security-level 100
ip address
interface GigabitEthernet1/2.100
description Vlan (Testing Environment)
vlan 10
nameif Testing-Vlan
security-level 100
ip address
interface GigabitEthernet1/2.101
description Guest Network
vlan 12
nameif Guest
security-level 100
ip address

access-list Guest_access_in extended permit ip any

nat (Guest,outside) source static Guest-Vlan Guest-Vlan destination static Guest-Vlan Guest-Vlan route-lookup

1. ASA Interfaces List


2. Detailed GigabitEthernet 1/2.100 Information


3. Nat Statement For VLan

Screen Shot 2018-03-02 at 11.41.21 PM

4. ASA ACL Information

Screen Shot 2018-03-02 at 11.41.03 PM

Once you have your ASA setup with the above information. The next step would be to setup trunking on your switch if it's capable of that. Thankfully I have a stack of 3750G switches that are capable. So, You will want to look at he posted config below. I've set this config up on the switch port that connects to my LAN port on my ASA

interface GigabitEthernet1/0/1
description Trunked ASA to LAN
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport trunk allowed vlan 4,10,12
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

* If you are not confident or do not have the understanding to apply changes to any company network it is always best to employee a professional.

blog comments powered by Disqus