ASA VLANs design

Unanswered Question
Feb 13th, 2007

Dear All,

i will be thankful if u can answer this designing question.

I have cisco 4506 connected to ASA 5520 with GE port .

Now i have different servers connected to the 4506 switch .Now i want to put different servers in different zones.

Is it possible with a sigle GE port?

I heard that ASA works differently than PIX where u require a separate interface to put servers in a zone .

in ASA can u do it with VLANs???

Can somebody clarify this????

regards

Nouman Khan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cratejockey Tue, 02/13/2007 - 08:34

The short answer is yes. The ASA has multiple modes of operation including a security context mode similar to the 6500 Firewall Service Module. In order to use these security contexts and allow multiple VLANs to terminate on an interface you will have to have the appropriate license for your ASA. You will need to talk to your Cisco SE or VAR for your pricing. Cisco's documentation for the ASA outlines this mode very well including multiple diagrams for different uses. The Cisco Press book that came out late last year for the ASA is also pretty useful but does not have all the newest CLI or ASDM commands and features that are found in 7.2(2). I hope this helps.

nomykhan Tue, 02/13/2007 - 09:02

great answer thanks

i know about security context.that was also available with PIX

Considering my scenario without security context licenses how should i configure my ASA so that different servers connected to the 4506 get diff security levels

Can i map ports of 4506 to different vlans and than assign diff security level.

i am new to security that is why asking such questions.sorry

regards

Nouman khan

cratejockey Tue, 02/13/2007 - 09:16

I hate to give you a pat answer on this part of your question...but the provided documentation will do you alot more good and allow you to customize your ASA to fit the roles you need. This link:

http://www.ciscopress.com/articles/article.asp?p=426641&seqNum=1&rl=1

has portions of the Cisco Press Book on the ASA available online. If you are just starting out with PIX and ASA's then this is a great book to pick up as a quick reference.

That link also diagrams using security contexts both in share and dedicated interface modes as well as outlines the requirements for single vs. multiple contexts.

This document should give you the nitty-gritty details you need to define your switch VLANs as well as your ASA VLANs;

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/int5505.pdf

Again sorry to just point you at docs but there are about a million ways to deploy the ASA and diving into the docs will help you zero in on your requirements and the process to reach your goals. If you have more specific questions let me know.

acomiskey Tue, 02/13/2007 - 09:23

I think we need to add that you do not need a security plus license (security contexts) to create subinterfaces (vlans) on an asa. Check "show ver" for Maximum Vlans.

Actions

This Discussion