cfajardo1_2 Tue, 12/18/2007 - 06:44
User Badges:

sorry for late reply..the CSS11500 supports firewall load balancing FWLB and in one of the mode, it seems like the firewall should support multinetting.(multiple ip address)

maratkinson Tue, 12/11/2007 - 13:12
User Badges:

Multinetting?


Sounds like you might be talking about ...

- VLSM variable-length subnet masking

- Classless Inter-Domain Routing (CIDR)

- routing prefix aggregation (also known as "supernetting" or "route summarization")


http://en.wikipedia.org/wiki/VLSM


Collin Clark Tue, 12/11/2007 - 13:18
User Badges:
  • Purple, 4500 points or more

Geez Adam I hope you knew that off the top of your head :-)


Celso, I have never tried it, but I'm pretty sure you can not assign multiple IP's to a single interface.

acomiskey Tue, 12/11/2007 - 13:25
User Badges:
  • Green, 3000 points or more

Haha, google is my friend.

JORGE RODRIGUEZ Tue, 12/11/2007 - 13:31
User Badges:
  • Green, 3000 points or more

This is correct, however, the only way I see this possible looking Adam's link is if you were to used 802.1q and subinterfaces in ASA 7.x each sub with same security level.


Rgds

Jorge

Collin Clark Tue, 12/11/2007 - 13:46
User Badges:
  • Purple, 4500 points or more

OK, but what about routing? How can you control which interface the traffic leaves on? Assuming you care about that.

JORGE RODRIGUEZ Tue, 12/11/2007 - 14:22
User Badges:
  • Green, 3000 points or more

What do you mean by routing? you can route between same security interfaces without issues, subinterfaces are routed interfaces are they not.. perhaps I don't understand you when you said " what about routing" ?


Rgds

Jorge

maratkinson Tue, 12/11/2007 - 13:42
User Badges:

Ahh ... yes, use multiple VLAN's to segment up a single interface. We have several ASA 5520's running that configuration.


Sample of such: Notice that you can assign different Security levels.


interface GigabitEthernet0/2

speed 1000

duplex full

nameif SUB-DMZ

security-level 60

no ip address

!

interface GigabitEthernet0/2.2114

description Citrix

vlan 2114

nameif SUB_Citrix

security-level 75

ip address 172.17.122.x 255.255.255.x

!

interface GigabitEthernet0/2.2126

description Secure Email Sub DMZ

vlan 2126

nameif SUB_SEC_EMAIL

security-level 75

ip address 172.17.123.x 255.255.255.x

JORGE RODRIGUEZ Tue, 12/11/2007 - 14:13
User Badges:
  • Green, 3000 points or more

Marc, using your config and Adam's example link the scenario of multiple IPs per interface could be accomplished this way.



interface GigabitEthernet0/2

speed 1000

duplex full

nameif NET

security-level 75

no ip address

!

interface GigabitEthernet0/2.183

description Network 183.55.2.0

vlan 183

nameif NET183

security-level 75

ip address 183.55.2.77 255.255.255.0

!

interface GigabitEthernet0/2.204

description Network 204.238.7.0

vlan 204

nameif NET204

security-level 75

ip address 204.238.7.22 255.255.255.0



interface GigabitEthernet0/2.88

description Network 88.127.6.0

vlan 88

nameif NET88

security-level 75

ip address 88.127.6.209 255.255.255.0



use same-security-traffic permit inter-interface command to pass traffic between these nets without the use of ACLs.



Actions

This Discussion