Solved: Replace the Existing PIX with ASA

renato.berana · ‎03-30-2008

Basically our client has 2 PIX configured as Active/Standby, they decided to replace the devices with ASA. I found out that the existing PIX has 6 interfaces; 1 in, 1 out, 3 DMZs and 1 FO. The ASA that my company supplied was 5520s with just 4GE interfaces and 1 mgmt. What is the best possible solution to complete the migration without adding any module. Is it possible to create a subinterface on one of the physical interface and trunk it?

sundar.palaniappan · ‎03-30-2008

Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

HTH

Sundar

View solution in original post

sundar.palaniappan · ‎03-30-2008

Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

HTH

Sundar

srue · ‎03-30-2008

if you're using stateful failover, be sure the stateful interface is a gig interface. you can use the mgmt interface as a normal data interface by issuing the command "no management-only" on it, and then you still have 5 overall - 4x 10/100/1000, 1x 10/100.

..you can even do subinterfaces (trunking) on the mgmt interface.