KB ID 0001085 Dtd 18/07/15
You can take the physical interface of a Cisco ASA firewall, (or an ether channel) and split it down into further sub-interfaces. This way you can set multiple VLANs to use this interface as a gateway at the same time whilst still separating the traffic.
In this scenario I'm going to have two VLANs, one for my wired clients, and one for a 'Guest WiFi' that I'm setting up. I want the guest WiFi to run in its own separate VLAN, so it can't touch my corporate network. And I want to NAT both networks to my public IP.
Maximum number of sub interfaces, depends on the hardware model maximum number of VLANs so;
|5506-X||5 (30 with Security Plus)|
|5506-W-X||5 (30 with Security Plus)|
|5510||50 (100 with Security Plus)|
|5512-X||10 (100 with Security Plus)|
Note: Sub interfaces are NOT supported on the ASA 5505.
To create sub interfaces on a physical interface, that interface must have no settings on it (other than it should not be shutdown).
Then create a sub-interface for each of my VLANs.
Petes-ASA(config)# interface gigabitEthernet 1.2 Petes-ASA(config-subif)# vlan 2 Petes-ASA(config-subif)# nameif Corp-LAN INFO: Security level for "Corp-LAN" set to 0 by default. Petes-ASA(config-subif)# security-level 100 Petes-ASA(config-subif)# ip address 10.2.2.254 255.255.0.0 Petes-ASA(config-subif)# exit Petes-ASA(config)#
Create Sub interface for VLAN 3
Petes-ASA(config)# interface gigabitEthernet 1.3 Petes-ASA(config-subif)# vlan 3 Petes-ASA(config-subif)# nameif Corp-WiFi INFO: Security level for "Corp-Wifiâ set to 0 by default. Petes-ASA(config-subif)# security-level 90 Petes-ASA(config-subif)# ip address 10.3.3.254 255.255.0.0 Petes-ASA(config-subif)# exit Petes-ASA(config)#
Note: I've manually set the security levels and made the corp-lan interface more trusted.
So my firewall config now looks like this;
NAT/PAT Traffic From Your Sub-Interfaces
What if you want the WiFi VLAN to have a different Public IP?
If you want to use another public IP from your public range, here is an example of the config;
OR, If you want the traffic to leave by another public interface (i.e. connected to another ISP) you can do the following;
Setting Up The Switch
This will depend upon the vendor, but essentially if it's a Cisco Switch you make the uplink switch port a 'trunk-port', and either allow ALL or VLAN 2 and 3. Then every wired connection will connect to a port you have setup as a 'access-port' on VLAN 2. All the wireless equipment will plug into ports that you have made 'access-ports' on VLAN 3.
See the following article for more information;
Related Articles, References, Credits, or External Links