One of the advantages of the Cisco ASA firewall is that you can configure multiple virtual interfaces (subinterfaces) on the same physical interface, thus extending the number of security zones (firewall “legs”) on your network. Each subinterface must belong to a different Layer2 VLAN, with a separate Layer3 subnet.
There are limits on the number of VLANs supported on each ASA model, according to the following list:
- ASA 5505: Max 20 VLANs (with the Security Plus Software)
- ASA 5510: Max 100 VLANs (with the Security Plus Software)
- ASA 5520: Max 150 VLANs
- ASA 5540: Max 200 VLANs
- ASA 5550: Max 250 VLANs
- ASA 5580: Max 100 VLANs
Below is a snapshot of a configuration example of VLAN subinterfaces:
interface GigabitEthernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.10
description OUTSIDE1
vlan 10
nameif OUT1
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
description OUTSIDE2
vlan 20
nameif OUT2
security-level 10
ip address 10.20.20.1 255.255.255.0
!interface GigabitEthernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.30
description INSIDE1
vlan 30
nameif INSIDE1
security-level 90
ip address 10.30.30.1 255.255.255.0
!
interface GigabitEthernet0/1.40
description INSIDE2
vlan 40
nameif INSIDE2
security-level 80
ip address 10.40.40.1 255.255.255.0
!
NOTE: More discussions and Cisco ASA users’ experience of VLAN Subinterfaces on Cisco ASA 5500 Firewall Configuration you can visit: networkstraining.com
