Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Combining two PIX's to one ASA

Hi,

I need a little sanity check please. I want to consolidate two PIX's onto a single ASA. Each PIX currently has an IPSEC VPN that terminates on the same remote peer (our ePoP VPN router).

The plan is to have interesting traffic for both local subnets added to the crypto ACL.

Currently working is:

PIX-1 10.10.10.10 --> (inside interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 10 permit ip 10.10.10.0 255.255.255.0 any

PIX-2 20.20.20.20 --> (inside interface) --> 1.1.1.2 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 20 permit ip 20.20.10.0 255.255.255.0 any

I want to do:

ASA-1 10.10.10.10 --> (DMZ-1interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

ASA-1 20.20.20.20 --> (DMZ-2 interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 10 permit ip 10.10.10.0 255.255.255.0 any

access-list 20 permit ip 20.20.10.0 255.255.255.0 any

Does anyone see any challenges with this?

Thanks, Dave

1 REPLY

Re: Combining two PIX's to one ASA

Dave,

Personally you interesting traffic will be initialised whenever a packet from either LAN hits the PIX/ASA.

I would specify in both ACL's the remote IP subnet - just to make things clear.

Other than that - you are correct in the way you are going.

HTH>

117
Views
0
Helpful
1
Replies
CreatePlease to create content