Replace the Existing PIX with ASA

Answered Question
Mar 30th, 2008
User Badges:

Basically our client has 2 PIX configured as Active/Standby, they decided to replace the devices with ASA. I found out that the existing PIX has 6 interfaces; 1 in, 1 out, 3 DMZs and 1 FO. The ASA that my company supplied was 5520s with just 4GE interfaces and 1 mgmt. What is the best possible solution to complete the migration without adding any module. Is it possible to create a subinterface on one of the physical interface and trunk it?

Correct Answer by sundar.palaniappan about 9 years 3 months ago

Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html


HTH


Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
sundar.palaniappan Sun, 03/30/2008 - 05:46
User Badges:
  • Green, 3000 points or more

Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html


HTH


Sundar

srue Sun, 03/30/2008 - 17:19
User Badges:
  • Blue, 1500 points or more

if you're using stateful failover, be sure the stateful interface is a gig interface. you can use the mgmt interface as a normal data interface by issuing the command "no management-only" on it, and then you still have 5 overall - 4x 10/100/1000, 1x 10/100.

..you can even do subinterfaces (trunking) on the mgmt interface.

Actions

This Discussion