Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Add interfaces to DMZ

    Hello Everyone

I have a new ASA 5512 which does not allow me to use VLANs like I did with previous version.  I have 3 interfaces, inside, outside and dmz.  I want to add another unused interface to my DMZ network instead of uplinking my dmz interface to a switch.  Before i could create a vlan for DMZ and then add the interfaces to that.  How can i have multiple interfaces on the same network?   I essentionally want to make int gi0/3 into an acces port on the dmz network.

Thanks in advance              

Everyone's tags (3)
3 REPLIES
Super Bronze

Re: Add interfaces to DMZ

Hi,

To my understanding the only Cisco firewalls that let you use Vlan interfaces are FWSM, ASASM and ASA5505 (which has a switch module unlike other ASA models) (Dont know about the ASA V1000 since I never even seen one)

I don't know that there is any way to bridge the ASA5500-X Series (or even the original series) physical interfaces. They are routed interfaces and not switchports.

- Jouni

Community Member

Add interfaces to DMZ

Now that i think about it the only one i have been able to do vlans and place muliple interfaces in that vlan is the 5505.  I saw an article talking about bridge-groups.  Did not really apply to what i am doing but left me wondering if that is something that could accomplish the same thing.

When i do a show ver it says unlimited vlans.  But sounds like you cannot really do anything with them. 

Thanks

Super Bronze

Add interfaces to DMZ

Hi,

To my understanding you wont be able to have 2 interface be part of the same subnet since all the ports are router/routed ports instead of switch ports.

You can configure a physical interface as a Trunk and configure the required Vlans on that Trunk. You can also configure an Etherchannel/Port-channel of multiple interfaces and use it as Trunk (which would be more logical choice wih the new ASA5500-X series as they have a better performance/throughput than the original ASA series.

We have actually run out of allocated Vlan interfaces on an FWSM once. The device had so many virtual firewalls (Security Contexts) that we reached the 1000 interface cap on the device.

- Jouni

134
Views
0
Helpful
3
Replies
CreatePlease to create content