Replace the Existing PIX with ASA

Answered Question
Mar 30th, 2008

Basically our client has 2 PIX configured as Active/Standby, they decided to replace the devices with ASA. I found out that the existing PIX has 6 interfaces; 1 in, 1 out, 3 DMZs and 1 FO. The ASA that my company supplied was 5520s with just 4GE interfaces and 1 mgmt. What is the best possible solution to complete the migration without adding any module. Is it possible to create a subinterface on one of the physical interface and trunk it?

Correct Answer by sundar.palaniappan about 8 years 11 months ago

Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html


HTH


Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Sun, 03/30/2008 - 17:19

if you're using stateful failover, be sure the stateful interface is a gig interface. you can use the mgmt interface as a normal data interface by issuing the command "no management-only" on it, and then you still have 5 overall - 4x 10/100/1000, 1x 10/100.

..you can even do subinterfaces (trunking) on the mgmt interface.

Actions

This Discussion