×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Add interfaces to DMZ

Unanswered Question
Oct 28th, 2013
User Badges:

    Hello Everyone


I have a new ASA 5512 which does not allow me to use VLANs like I did with previous version.  I have 3 interfaces, inside, outside and dmz.  I want to add another unused interface to my DMZ network instead of uplinking my dmz interface to a switch.  Before i could create a vlan for DMZ and then add the interfaces to that.  How can i have multiple interfaces on the same network?   I essentionally want to make int gi0/3 into an acces port on the dmz network.


Thanks in advance              

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Mon, 10/28/2013 - 11:40
User Badges:
  • Super Bronze, 10000 points or more

Hi,


To my understanding the only Cisco firewalls that let you use Vlan interfaces are FWSM, ASASM and ASA5505 (which has a switch module unlike other ASA models) (Dont know about the ASA V1000 since I never even seen one)


I don't know that there is any way to bridge the ASA5500-X Series (or even the original series) physical interfaces. They are routed interfaces and not switchports.


- Jouni

Jason Flory Mon, 10/28/2013 - 13:21
User Badges:

Now that i think about it the only one i have been able to do vlans and place muliple interfaces in that vlan is the 5505.  I saw an article talking about bridge-groups.  Did not really apply to what i am doing but left me wondering if that is something that could accomplish the same thing.


When i do a show ver it says unlimited vlans.  But sounds like you cannot really do anything with them. 


Thanks

Jouni Forss Mon, 10/28/2013 - 14:35
User Badges:
  • Super Bronze, 10000 points or more

Hi,


To my understanding you wont be able to have 2 interface be part of the same subnet since all the ports are router/routed ports instead of switch ports.


You can configure a physical interface as a Trunk and configure the required Vlans on that Trunk. You can also configure an Etherchannel/Port-channel of multiple interfaces and use it as Trunk (which would be more logical choice wih the new ASA5500-X series as they have a better performance/throughput than the original ASA series.


We have actually run out of allocated Vlan interfaces on an FWSM once. The device had so many virtual firewalls (Security Contexts) that we reached the 1000 interface cap on the device.


- Jouni

Actions

This Discussion

Related Content