Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
3
Replies

Add interfaces to DMZ

Jason Flory
Level 1
Level 1

‎10-28-2013 11:35 AM - edited ‎03-11-2019 07:56 PM

    Hello Everyone

I have a new ASA 5512 which does not allow me to use VLANs like I did with previous version.  I have 3 interfaces, inside, outside and dmz.  I want to add another unused interface to my DMZ network instead of uplinking my dmz interface to a switch.  Before i could create a vlan for DMZ and then add the interfaces to that.  How can i have multiple interfaces on the same network?   I essentionally want to make int gi0/3 into an acces port on the dmz network.

Thanks in advance              

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎10-28-2013 11:40 AM

Hi,

To my understanding the only Cisco firewalls that let you use Vlan interfaces are FWSM, ASASM and ASA5505 (which has a switch module unlike other ASA models) (Dont know about the ASA V1000 since I never even seen one)

I don't know that there is any way to bridge the ASA5500-X Series (or even the original series) physical interfaces. They are routed interfaces and not switchports.

- Jouni

0 Helpful

Jason Flory
Level 1
Level 1
In response to Jouni Forss

‎10-28-2013 01:21 PM

Now that i think about it the only one i have been able to do vlans and place muliple interfaces in that vlan is the 5505.  I saw an article talking about bridge-groups.  Did not really apply to what i am doing but left me wondering if that is something that could accomplish the same thing.

When i do a show ver it says unlimited vlans.  But sounds like you cannot really do anything with them. 

Thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jason Flory

‎10-28-2013 02:35 PM

Hi,

To my understanding you wont be able to have 2 interface be part of the same subnet since all the ports are router/routed ports instead of switch ports.

You can configure a physical interface as a Trunk and configure the required Vlans on that Trunk. You can also configure an Etherchannel/Port-channel of multiple interfaces and use it as Trunk (which would be more logical choice wih the new ASA5500-X series as they have a better performance/throughput than the original ASA series.

We have actually run out of allocated Vlan interfaces on an FWSM once. The device had so many virtual firewalls (Security Contexts) that we reached the 1000 interface cap on the device.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card