cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
932
Views
0
Helpful
14
Replies

Are Cisco ASA's the new Pix?

whiteford
Level 1
Level 1

We have a Cisco Pix 515e (with Quad card for 4 DMZ's), we are thinking of upgrading as the CPU can get high etc. What is a the new model to go for that does that same job but gives us more CPU and memory?

14 Replies 14

acomiskey
Level 10
Level 10

Thanks, so if I was to buy a new firewall for an upgrade it would be an ASA and not another Pix?

YES, your are right, ASA is replacement of PIX, since PIX does only the firewall/vpn part, where as ASA does IDS,IPS,Anti-Virus engine plus the PIX features.

Our pix has a quad card to give us 4 DMZs can the ASAs do this?

You can use either ASA5510-SEC-BUN-K9 which has 5 Fast Ethernet interfaces or ASA5520-BUN-K9 that has 4 Gigabit Ethernet interfaces + 1 Fast Ethernet interface.

Take a look here - http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html

At the same time you can use VLANs to create multiple sub-interfaces from a single DMZ on ASA.

As an example - ASA5510-BUN-K9 (has 3 Fast Ethernet Interfaces) can support up to 50 VLANs with the Standard and up to 100 VLANs with SecurityPlus license.

So in your situation you will need 4 VLAN interfaces to be configured on the single physical DMZ port and then connect this DMZ port to any VLAN-capable switch.

Hope this will help.

-- Eugene

I think you describe my current pix setup, I have 4 ports for the DMZs, each of the 4 ports goes into a separate vlan on my switch. The fast ethernet 0 goes into another vlan where my internet router is and fast ethernet 1 goes to anyother vlan where my lan is. This is 6 ports the 5520 only has 5 how can I get round this?

Thanks

You need only 3 physical ports:

Inside, outside and DMZ

On a single physical DMZ interface you can have multiple logical VLAN interfaces.

On the switch side you need to configure the switchport as 802.1q trunk.

Here's the link to the documentation - http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

-- Eugene

1.) So basically you can have the Fast Ethernet port for the Internet VLAN, one of the Gigabyte ports for the LAN VLAN and the 3rd to a switch which can somehow split a single gigabyte into 4 DMZ's?

2.) Do all Cisco switches do this, I have a 2950, 3550 and a 3560 that the current 4 physical DMZ ports go into?

3.) I suppose if we wanted to keep this structure we could get more ports for a 5520?

You can have multiple VLANs from one physical interface by creating "sub-interfaces". The only catch is the interface at the other end (on your switch for example) would have to be configured as a trunk port to allow multiple VLANs.

It will be a Cisco 3750 switch, what will I have to into the switches config?

Go into interface config and add these commands in:

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

Hi, is that put on the global interface or on the port that connects to the ASA?

Our current pix has a quad card for our 4 DMZs these 4 ports just plug into a switch with 4 Vlans, each port has an interface IP so the pix is rather like a router. How will the ASA work? Can we give the 4 VLANs IPs?

That will be placed on the interface of the switch connected to the ASA. Basically what's going to happen is that you configure that switch port to trunk (to allow multiple VLAN traffic through) and then on the physical port on the ASA, you then create new logical subinterfaces for each additional gateway you need (easier to see and do on the asdm). For example e0/0 and e0/1 are used as Outside and Inside so e0/2 is available. I'll then create a new interface for say, VLAN 17 with its appropriate IP address. You'll then see a new interface called e0/2.17 or however you name it.

Great, and in you example you use VLAN 17 on e0/2 (which links to the switch) if I want to add another VLAN down e0/2 I can do this, as I would need 4 for my DMZ's?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: