Are Cisco ASA's the new Pix?

Unanswered Question
Oct 22nd, 2007

We have a Cisco Pix 515e (with Quad card for 4 DMZ's), we are thinking of upgrading as the CPU can get high etc. What is a the new model to go for that does that same job but gives us more CPU and memory?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
whiteford Mon, 10/22/2007 - 06:00

Thanks, so if I was to buy a new firewall for an upgrade it would be an ASA and not another Pix?

Anand S Tue, 10/23/2007 - 01:42

YES, your are right, ASA is replacement of PIX, since PIX does only the firewall/vpn part, where as ASA does IDS,IPS,Anti-Virus engine plus the PIX features.

whiteford Tue, 10/23/2007 - 07:15

Our pix has a quad card to give us 4 DMZs can the ASAs do this?

eenest Tue, 10/23/2007 - 11:14

You can use either ASA5510-SEC-BUN-K9 which has 5 Fast Ethernet interfaces or ASA5520-BUN-K9 that has 4 Gigabit Ethernet interfaces + 1 Fast Ethernet interface.

Take a look here -

At the same time you can use VLANs to create multiple sub-interfaces from a single DMZ on ASA.

As an example - ASA5510-BUN-K9 (has 3 Fast Ethernet Interfaces) can support up to 50 VLANs with the Standard and up to 100 VLANs with SecurityPlus license.

So in your situation you will need 4 VLAN interfaces to be configured on the single physical DMZ port and then connect this DMZ port to any VLAN-capable switch.

Hope this will help.

-- Eugene

whiteford Tue, 10/23/2007 - 11:31

I think you describe my current pix setup, I have 4 ports for the DMZs, each of the 4 ports goes into a separate vlan on my switch. The fast ethernet 0 goes into another vlan where my internet router is and fast ethernet 1 goes to anyother vlan where my lan is. This is 6 ports the 5520 only has 5 how can I get round this?


whiteford Tue, 10/23/2007 - 12:32

1.) So basically you can have the Fast Ethernet port for the Internet VLAN, one of the Gigabyte ports for the LAN VLAN and the 3rd to a switch which can somehow split a single gigabyte into 4 DMZ's?

2.) Do all Cisco switches do this, I have a 2950, 3550 and a 3560 that the current 4 physical DMZ ports go into?

3.) I suppose if we wanted to keep this structure we could get more ports for a 5520?

jackleung Fri, 10/26/2007 - 11:28

You can have multiple VLANs from one physical interface by creating "sub-interfaces". The only catch is the interface at the other end (on your switch for example) would have to be configured as a trunk port to allow multiple VLANs.

whiteford Fri, 10/26/2007 - 11:36

It will be a Cisco 3750 switch, what will I have to into the switches config?

jackleung Fri, 10/26/2007 - 13:13

Go into interface config and add these commands in:


switchport trunk encapsulation dot1q

switchport mode trunk

whiteford Fri, 10/26/2007 - 23:52

Hi, is that put on the global interface or on the port that connects to the ASA?

Our current pix has a quad card for our 4 DMZs these 4 ports just plug into a switch with 4 Vlans, each port has an interface IP so the pix is rather like a router. How will the ASA work? Can we give the 4 VLANs IPs?

jackleung Mon, 10/29/2007 - 08:53

That will be placed on the interface of the switch connected to the ASA. Basically what's going to happen is that you configure that switch port to trunk (to allow multiple VLAN traffic through) and then on the physical port on the ASA, you then create new logical subinterfaces for each additional gateway you need (easier to see and do on the asdm). For example e0/0 and e0/1 are used as Outside and Inside so e0/2 is available. I'll then create a new interface for say, VLAN 17 with its appropriate IP address. You'll then see a new interface called e0/2.17 or however you name it.

whiteford Mon, 10/29/2007 - 10:17

Great, and in you example you use VLAN 17 on e0/2 (which links to the switch) if I want to add another VLAN down e0/2 I can do this, as I would need 4 for my DMZ's?


This Discussion