physical vs logical interfaces

Unanswered Question
Jun 26th, 2008

I am setting up 2 redundant 5520's in failover mode to replace a Checkpoint FW. The new ASA's have 4 Gig and 1 fast ehternet interfaces to use. I need to establish 2 DMZ's, 2 outside connections, and obviously 1 inside interface. Since one interface needs to be for failover, we will be short 2 physical interfaces I think. Is my only choice to use trunking and VLAN's to get the other 2 interfaces I need. We will be running in routed single context mode. Is this correct? Any help is appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Thu, 06/26/2008 - 12:11

There is nothing wrong using virtual interfaces ASA5520 can have up to 150 Virtual interfaces, there is plenty to work with with gigabit interfaces in the firewall, the question is how you would want to plan out the use of gigabit interface and its virtual interfaces in your network perimeter such as inside, DMZ, and outside and if you will be using dedicated switches to separate from inside, DMZ and outside.

1-You could use the 1-FastEthernet interface and trunk it to a DMZ defined switch

Create the two virtual interfaces in your firewall and l2 DMZ vlans in the switch.

On this interface you will have 2 DMZ networks isolated if using separate DMZ switch. You still have for more growth on DMZs for future if need more DMZ networks off this interface. Remember you have up to 150 virtual interfaces for asa5520.

2-One Gig for your inside interface ( here you could also create virtual interfaces if you don't have L3 switch for your inside network that you would require more subnets using same sec level on sub interfaces)

3-One Gig for your outside interface, same principle with 802.1q virtual interfaces if you need 2 outside connections.

One other thing to know is that you can use the management0/0 interface as a LAN failover link this I gues would be a last resort to use if you are aout of physical ports but if you want to use a gigabit for LAN failover link that is fine.

The above scenario will still leave you with two Gigabit interfaces free plus mgt0/0 interface that can also be used as a routed regular port in your model.

Rgds

-Jorge

a.alekseev Thu, 06/26/2008 - 12:23

I would use 3 GE ports.

1 Gig for 2 outside

1 Gig for 2 DMZ

1 Gig for inside

P.S. You can have only one default gateway active.

Actions

This Discussion