Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2 ASA 5520 Active-Standy Setup with DMZ sub-interfaces

Hi

I would like to find out if it is possible to configured 2 DMZ IP ranges with sub-interfaces on one physical DMZ interface while maintaining the active-standby setup.

I am preparing for a DMZ IP address migration and would like to create the new DMZ IP interface as a sub-interface on the existing DMZ Interface.

This would allow me to migrate the existing DMZ servers over to the new IP range one at a time instead of a "big bang" approach.

I could not find any reference for active-standby configuration using sub-interfaces.

Appreciate any help or suggestion.  I have list the current interface configuration of my 2 ASA5520 and the proposed configuration which I am not sure if it is feasible/valid

[ Current ]

!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address h.i.j.221 255.255.255.192 standby h.i.j.218
ospf cost 10
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.138.231.251 255.255.252.0 standby 10.138.231.250
ospf cost 10
!
interface GigabitEthernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address a.b.c.97 255.255.255.224 standby a.b.c.98
ospf cost 10
!
interface GigabitEthernet0/3
speed 100
duplex full
nameif dmz2
security-level 40
ip address x.y.z.254 255.255.255.0 standby x.y.z.253
ospf cost 10
!
interface Management0/0
description LAN/STATE Failover Interface
speed 100
duplex full
!

[ Proposed ]

!

interface GigabitEthernet0/2
speed 100
duplex full
no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2.1
speed 100
duplex full
nameif dmz1

vlan 101
security-level 50
ip address a.b.c.97 255.255.255.224 standby a.b.c.98
ospf cost 10
!

interface GigabitEthernet0/2.2
speed 100
duplex full
nameif dmz2

vlan102
security-level 50
ip address <new DMZ IP active > standby <new DMZ IP standby>
ospf cost 10

!

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: 2 ASA 5520 Active-Standy Setup with DMZ sub-interfaces

Yes, definitely can, and your proposed configuration is correct.

You just have to make sure that gig0/2 is changed from access port to trunk port, and allowing at least vlan 101 and 102.

Hope that helps.

1 REPLY
Super Bronze

Re: 2 ASA 5520 Active-Standy Setup with DMZ sub-interfaces

Yes, definitely can, and your proposed configuration is correct.

You just have to make sure that gig0/2 is changed from access port to trunk port, and allowing at least vlan 101 and 102.

Hope that helps.

525
Views
0
Helpful
1
Replies