Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Cluster on 5585 and DMZ

Hello everyone!

It's time for us to move from old well known PIX-525. Right now main their main duty is to firewall between several networks. It looks like we can take a pair of ASA-5585 and replace failover pair of PIXes. 

I checked the documentation and it understood we could use Routed Firewall Mode with Equal-Cost Multi-Path Routing. But in the documentation we usually see only two segments - inside and outside (it's perfectly enough for DC). But in my case we have several DMZs on our PIX. Can we create DMZs in ASA cluster? Would it be supported configuration?

 

With best regards,

Maxim

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

ECMP on the ASA has some

ECMP on the ASA has some limitations, as do routing protocols in general. There is a tech note on ASA ECMP here and the routing protocol limitations are covered in the configuration guide.

The number of physical interfaces available on a 5585-X is up to 12 10/100/1000 Mbps and 8 10 Gbps physical interfaces, depending on the SSP type. The primary inside and outside interfaces plus the cluster control link(s) will use up some of those. You could use all of the rest for DMZs if your design needed that. you can further subdivide via subinterfaces (VLANs) - the ASA 5585 supports up to 250 of those.

4 REPLIES
Hall of Fame Super Silver

You're mixing terms a bit -

You're mixing terms a bit - ECMP is a concept applied to dynamic routing protocols and completely distinct from DMZs or security zones.

Any ASA configuration (including a cluster of 5585s) supports DMZs - as many as you have physical interfaces or logical subinertfaces available.

New Member

I don't mix terms. I just

I don't mix terms. I just presented proposed configuration for my setup.

If you take a look into configuration guide You will probable see that in transparent mode ASA can only have only two segments - inside and outside. In the same documentation for ASA clustering all examples also have only two segments. I did not catch any restrictions why not to have DMZ. That was why I went to the support form and asked.

If You are sure, that with ASA cluster we can have as many DMZs as we need, that will very good.

Please, confirm it.

 

With best regards

Hall of Fame Super Silver

ECMP on the ASA has some

ECMP on the ASA has some limitations, as do routing protocols in general. There is a tech note on ASA ECMP here and the routing protocol limitations are covered in the configuration guide.

The number of physical interfaces available on a 5585-X is up to 12 10/100/1000 Mbps and 8 10 Gbps physical interfaces, depending on the SSP type. The primary inside and outside interfaces plus the cluster control link(s) will use up some of those. You could use all of the rest for DMZs if your design needed that. you can further subdivide via subinterfaces (VLANs) - the ASA 5585 supports up to 250 of those.

Cisco Employee

Maxim, there is no limitation

Maxim, there is no limitation of just inside and outside in a cluster environment. You can configure as many zones that you may need (for example, dmz, sales, engineering, production etc.) apart from inside and outside that is detailed in the topology.

The topology contained inside & outside to keep the diagram readable for the users.

 

Regards

Iyer

205
Views
0
Helpful
4
Replies