Security zone across two physical interfaces

Unanswered Question
Jun 2nd, 2010

I have an ASA-5520 running IOS 8-0-4(7).

I have 24MB flash and 80MB DRAM.

I want to install a 4-port GE SSM module and interconnect two (2) different Cisco 3750 switches as such:

ASA-5520-1 -- g0/0 ------ c3750-A -- g1/0/1

ASA-5520-1 -- g1/0 ------ c3750-B -- g1/0/2

interface GigabitEthernet0/0

Description Built-in interface, connects to SWITCH-A

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/0

Description Module SSM interface, connects to SWITCH-B

no nameif

no security-level

no ip address

!

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet1/0

nameif DMZ

security-level 50

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.254

Will the ASA-5520 Firewall allow this setup where I combine two firewall interfaces as a single security zone but then connect each firewall interface to two different switches?

Am I missing something?

Thanks for any support!!

Frank

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 06/02/2010 - 08:31

Hi Frank,


Both Gig0/0 and Gig0/1 are part of the redundant interface1
Only one will be passing traffic, the other will be in standby.

I am not able to test it right now, but I think it should work as long as the 3750 has both g1/0/1 and g1/0/2 on the same VLAN.


Federico.

fsebera Wed, 06/02/2010 - 08:36

Hey Federico,


The ASA-5520 interfaces are G0/0 and G1/0. (Not G0/0 and G0/1)

G0/0 is build into the ASA

G1/0 is on the 4-port module


Doesyour answer still apply?

Tks

Frank

Federico Coto F... Wed, 06/02/2010 - 08:43

Frank,


To be honest I don't think it should make any difference that both Gig interfaces on the ASA are on the chassis itself or on the SSM module.

But.... I have not tried it and cannot tell you for sure (i'm just letting you know what I think ;p)


Are you in a position to test it?

Otherwise I can test it but not at this time :-)


Federico.

fsebera Wed, 06/02/2010 - 09:08

Hi Federico,


I currently do not have the 4-port module. If the ASA allows the combining of multiple interfaces and then you assign the security zone to the logical interface, it really does not have to forward traffic out both interfaces. Only issue I need to figure out is how to make g0/0 the active and g1/0 the failover.


Once fedex drops off my modules, I can test.


Thanks again

Frank

Federico Coto F... Wed, 06/02/2010 - 11:03

Yes that's correct.

Both interfaces (gig0/0 and gig1/0) will be part of a logical interface.

This redundant logical interface will be the one passing traffic (using the physical gig0/0 as the primary interface and if it fails, using the gig1/0 interface or vice versa).


Federico.

Actions

This Discussion