cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
359
Views
0
Helpful
5
Replies

Security zone across two physical interfaces

fsebera
Level 4
Level 4

I have an ASA-5520 running IOS 8-0-4(7).

I have 24MB flash and 80MB DRAM.

I want to install a 4-port GE SSM module and interconnect two (2) different Cisco 3750 switches as such:

ASA-5520-1 -- g0/0 ------ c3750-A -- g1/0/1

ASA-5520-1 -- g1/0 ------ c3750-B -- g1/0/2

interface GigabitEthernet0/0

Description Built-in interface, connects to SWITCH-A

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/0

Description Module SSM interface, connects to SWITCH-B

no nameif

no security-level

no ip address

!

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet1/0

nameif DMZ

security-level 50

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.254

Will the ASA-5520 Firewall allow this setup where I combine two firewall interfaces as a single security zone but then connect each firewall interface to two different switches?

Am I missing something?

Thanks for any support!!

Frank

5 Replies 5

Hi Frank,

Both Gig0/0 and Gig0/1 are part of the redundant interface1
Only one will be passing traffic, the other will be in standby.

I am not able to test it right now, but I think it should work as long as the 3750 has both g1/0/1 and g1/0/2 on the same VLAN.

Federico.

Hey Federico,

The ASA-5520 interfaces are G0/0 and G1/0. (Not G0/0 and G0/1)

G0/0 is build into the ASA

G1/0 is on the 4-port module

Doesyour answer still apply?

Tks

Frank

Frank,

To be honest I don't think it should make any difference that both Gig interfaces on the ASA are on the chassis itself or on the SSM module.

But.... I have not tried it and cannot tell you for sure (i'm just letting you know what I think ;p)

Are you in a position to test it?

Otherwise I can test it but not at this time :-)

Federico.

Hi Federico,

I currently do not have the 4-port module. If the ASA allows the combining of multiple interfaces and then you assign the security zone to the logical interface, it really does not have to forward traffic out both interfaces. Only issue I need to figure out is how to make g0/0 the active and g1/0 the failover.

Once fedex drops off my modules, I can test.

Thanks again

Frank

Yes that's correct.

Both interfaces (gig0/0 and gig1/0) will be part of a logical interface.

This redundant logical interface will be the one passing traffic (using the physical gig0/0 as the primary interface and if it fails, using the gig1/0 interface or vice versa).

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: