VPN ALL

How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall

One of the advantages of the Cisco ASA firewall is that you can configure multiple virtual interfaces (subinterfaces) on the same physical interface, thus extending the number of security zones (firewall “legs”) on your network. Each subinterface must belong to a different Layer2 VLAN, with a separate Layer3 subnet.
There are limits on the number of VLANs supported on each ASA model, according to the following list:


ASA 5505: Max 20 VLANs (with the Security Plus Software)
ASA 5510: Max 100 VLANs (with the Security Plus Software)
ASA 5520: Max 150 VLANs
ASA 5540: Max 200 VLANs
ASA 5550: Max 250 VLANs
ASA 5580: Max 100 VLANsBelow is a snapshot of a configuration example of VLAN subinterfaces:
interface GigabitEthernet0/0
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.10
description OUTSIDE1
vlan 10
nameif OUT1
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
description OUTSIDE2
vlan 20
nameif OUT2
security-level 10
ip address 10.20.20.1 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.30
description INSIDE1
vlan 30
nameif INSIDE1
security-level 90
ip address 10.30.30.1 255.255.255.0
!
interface GigabitEthernet0/1.40
description INSIDE2
vlan 40
nameif INSIDE2
security-level 80
ip address 10.40.40.1 255.255.255.0
!