ASA configuration with vlan trunking

This configuration snippet shows how to setup trunking to an ASA.  In this scenario we have a 5510 that supports 3 physical interfaces.  We want to provide a guest vlan on the network that customers could use to access the Internet only, however we aleady are using the 3rd interface for a DMZ.  

#  This configuration was taken from an ASA 5510 running 7.2(1) with default security assignments of 0 on the outside and 100
#  on the inside.  The dmz was given a security assignment of 50 and the guest segment was given a security assignment of 10.
#  The 3 physical interfaces are Ethernet0/0, Ethernet 0/1 and Ethernet 0/2.  Ethernet0/2 is where the vlan trunking will occur. 
#  When the trunking is performed the native vlan on the trunk needs to be something other than a vlan that is currently in use. 
#  In this example we are trunking vlan 10 and vlan 99.  The native vlan is set on the switch to something other than vlan 10 or 99. 
#  To set this up on the ASA you need to create subinterfaces associated to the vlan number.  So for vlan 10 we use interface
#  Ethernet0/2.10 and then under that interface we define that it is in vlan 10.  Now make sure that the switch port that physical
#  Ethernet0/2 is connected to is set up to do 802.1q trunking with these vlans.

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0

interface Ethernet0/2
 no nameif
 no security-level
 no ip address

interface Ethernet0/2.10
 vlan 10
 nameif guests
 security-level 10
 ip address 192.168.100.1 255.255.255.0

interface Ethernet0/2.99
 vlan 99
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0

#  Access lists for the outside and dmz interfaces have been omitted from this example.
#  When going from a higher interface to a lower interface a NAT and global command are used.
#  Any address on the 10.1.1.0 / 24 inside network going to the outside will use PAT translating the source IP
#  to the IP address that is configured on the outside interface above.  In this case we also want to allow anything
# from the guest segment to access the internet.  So in this case we will add one more NAT statement to allow this.

global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
nat (guests) 1 192.168.100.0 255.255.255.0

#  Finally for reference a default route is defined to the Internet.

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

#  Default configuration lines have been omitted.


Corresponding switch configuration for trunking to ASA

This configuration shows the switchport configuration for the port that is physically connected to the ASA's Ethernet0/2 interface.

#  On this interface we need to turn on trunking using 802.1q.  We then define the vlans we need to trunk, in this case 10 and 98.
#  The trunk native vlan by default is vlan 1.  If vlan 1 was needed to be used on the ASA, we would have needed to set the native vlan
#  to something else with an additional statement of switchport trunk native vlan xx.
#
#  This snippet was taken from a 3750 running 12.2.25 IOS.

interface FastEthernet1/0/1
 description ASA 5510 Ethernet0/2 - DMZ and Guests Vlans trunked
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,98
 switchport mode trunk
 no ip address
 no mdix auto