2 ASA 5520 Active-Standy Setup with DMZ sub-interfaces

Answered Question
Jul 27th, 2010

Hi

I would like to find out if it is possible to configured 2 DMZ IP ranges with sub-interfaces on one physical DMZ interface while maintaining the active-standby setup.

I am preparing for a DMZ IP address migration and would like to create the new DMZ IP interface as a sub-interface on the existing DMZ Interface.

This would allow me to migrate the existing DMZ servers over to the new IP range one at a time instead of a "big bang" approach.

I could not find any reference for active-standby configuration using sub-interfaces.

Appreciate any help or suggestion.  I have list the current interface configuration of my 2 ASA5520 and the proposed configuration which I am not sure if it is feasible/valid

[ Current ]

!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address h.i.j.221 255.255.255.192 standby h.i.j.218
ospf cost 10
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.138.231.251 255.255.252.0 standby 10.138.231.250
ospf cost 10
!
interface GigabitEthernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address a.b.c.97 255.255.255.224 standby a.b.c.98
ospf cost 10
!
interface GigabitEthernet0/3
speed 100
duplex full
nameif dmz2
security-level 40
ip address x.y.z.254 255.255.255.0 standby x.y.z.253
ospf cost 10
!
interface Management0/0
description LAN/STATE Failover Interface
speed 100
duplex full
!

[ Proposed ]

!

interface GigabitEthernet0/2
speed 100
duplex full
no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1
speed 100
duplex full
nameif dmz1

vlan 101
security-level 50
ip address a.b.c.97 255.255.255.224 standby a.b.c.98
ospf cost 10
!

interface GigabitEthernet0/2.2
speed 100
duplex full
nameif dmz2

vlan102
security-level 50
ip address <new DMZ IP active > standby <new DMZ IP standby>
ospf cost 10

!

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 4 months ago

Yes, definitely can, and your proposed configuration is correct.

You just have to make sure that gig0/2 is changed from access port to trunk port, and allowing at least vlan 101 and 102.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Tue, 07/27/2010 - 02:26

Yes, definitely can, and your proposed configuration is correct.

You just have to make sure that gig0/2 is changed from access port to trunk port, and allowing at least vlan 101 and 102.

Hope that helps.

Actions

This Discussion