Pix to ASA upgrade question

Unanswered Question
Oct 27th, 2007
User Badges:

Hi, we will upgrading our Cisco Pix 515e to a Cisco ASA 5520. Our Pix has a quad card that lets us have 4 DMZ's. The 4 interface ports simply go into 4 VLANs on a Cisco 3550 switch. Each of the 4 interface have an IP address assigned to them, this allows us to route traffic to these DMZ's (suppose they are just like routers/gateways).


Anyway the ASA 5520 has 4 GB ports and 1 FE port. I have heard that just one of the GB ports can act as the 4 DMZ's if we patch it into a VLAN switch. If this is right do these VLAN have IP addresses assigned to them like on the Pix? I'm just wondering how we will router traffic to these "new" DMZ's.


Our main routing table (core LAN switch) forwards unknown traffic (these DMZ's) to our Pix, which then knows what to do as the interfaces have the IP's.


Will the ASA work in a similar way?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sun, 10/28/2007 - 22:21
User Badges:
  • Green, 3000 points or more

Hi, you have the same situation I have, I will be upgrading 515e at another site to 5510, a bit different than yours since you are going 5520 with 4 10/100/1000 port and 1 10/100. I cannot speak for experience but reading on 5500's I realized you can do alot more then the legacy to be PIXes.


I inherit a network where few sites have 515E's with quad cards for DMZ purposes, each port is configured with its unique IP and belongs to a unique DMZ vlan on the DMZ switch environment. I have done some reading and will be taking a different approach in implementing 802.1q per interface and have several logical interfaces on a single port.


For example, your model is 5520, with 4 10/100/1000 gig ports and 1 10/100, with just one Gig port you could have your 4 DMZ networks by creating sub-interfaces off gig port and assign it a VLANID. ,in your case I would replace DMZ switch with one that is gig and 802.1q capable , Trunk the ASA gig port to switch to pass all the DMZ vlans to switch. Obviously create the 4 DMZ vlans on the switch as well as gig port on switch to trunk with ASA .


Base on this link http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

The 5520 can support maximum of 150 Virtual interface (VLANS).You would still have 3 gig ports Available plus 1 in-band for management.


You asked how the 4 DMZ sub interfaces VLANS created in one single Gig port would route

traffic to your LAN, each logical interface will have its unique IP address identifying its network, at least that is the way I understand it if not please someone please correct me. They will route back to your LAN the same way your PIX is doing it either by static or gig interface participating in internal OSPF.


If PIX 6.x you can do 802.1q and create logical, I would not think ASA5510 or 5520 would not be able to do the same.


Rgds

Jorge




whiteford Sun, 10/28/2007 - 23:52
User Badges:

Thanks Jorge, that made things much clearer. Just one thing as this trunk stuff is new to me, does trunking just make 2 device such as 2 switches understand each others vlan information?

JORGE RODRIGUEZ Mon, 10/29/2007 - 04:18
User Badges:
  • Green, 3000 points or more

yes, what switch type do you have? just make sure it supports 802.1q trunk. For example on the switch you create the vlans, configure the switch in VTP mode to transparent and create the four vlans.. look into how to configure VTP and VLANS on cisco tech docs for your model, remember the switch will be doing just layer 2 vlans.


e.g

switch#vlan database , the create the VLANs

DMZ1,DMZ2,DMZ3,DMZ4 etc..


switch(vlan)#vlan 2 name DMZ1

switch(vlan)#vlan 3 name DMZ2 etc...


then on your switch uplink or any port create 802.1q trunk , look into configuring trunking on your switch type.


once you stablish that trunk between ASA and switch each other will pass their vlans information, than assign each switch port to their respective vlans for your vendors routers or server connections e.g "switch port access vlan 2" for DMZ1 etc.. when you create logical on ASA assign VLAN ID to match that of the DMZ switch, the ASA will be your Layer 3 device to route those logical interfaces.


HTH

Jorge

Actions

This Discussion