ASA5520 SSM 20 and SSM 4GE

Unanswered Question
Nov 13th, 2008

We currently have a ASA5520 with the "SSM 4GE" card in the expansion slot. This gives us 4 extra GibabitEthernet ports.

At the moment there are 5 connections going into the firewall. They are Inside LAN, DMZ LAN , OutsideWAN1, OutsideWAN2, OutsideWAN3. The Outside WAN1,2,3 are 3 WAN connections for 3 different ISPs. Now we have got an IPS card "SSM 20". There is only one expansion slot so we have to remove the "SSM 4GE" to make space for the new card. There are four onboard ports on the device but we have 5 connections. To get around this can we put all the WAN connections into a switch and then into one port on the 5520 and then use vlans ? How many vlans can we put on the one port on the 5520 ? Also is it possible to do route failover should one of the WAN lines go down ? Is this still done with floating static routes , or is there a better way to do it ? On the specification sheet it says a maximum of 150 vlans for the device , does this mean that the same 150 vlans can be applied to each port ? Would you have any links to similar configuration set up ? Many thanks for your help with this ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Thu, 11/13/2008 - 09:57

Sorry to hear the port limitation of the ASA has bit you too.

Your only solution is to trunk multiple vlans out of your ASA into a switch. I would worry about bandwidth contention between the vlans on a singles interface (but they're GigE and you're talking about WAN speeds) more than number of vlans (do you really need more the 150 per firewall?)

Your routing and ASA specific questions might be better answered by the firewall forum.

Farrukh Haroon Sun, 11/16/2008 - 00:07

Yes AFAIK you can do all those VLANS on one port. But once you get the funds to buy 150 ISP links, just go for a bigger firewall :).

The ASA does not support multiple default routes of different interfaces, so you can only do 'backup' based on floating static routes. This is an example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Regards

Farrukh

Actions

This Discussion