Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
3
Replies

DMZ Ports in ASA5512-X

Go to solution
Syed Farhan Ali
Level 4
Level 4

‎02-16-2014 10:30 PM - edited ‎03-11-2019 08:46 PM

Dear Team,

There is no information on the number of DMZ's that can be created on the Cisco NGN Firewalls. By default, there are 6GE Ports on the Firewall and I need to know how many DMZ's can be made on them.

Another question is what if I purchase ASA-IC-6GE-CU-A= module, how many DMZ's can I made additionally.

If there is a comparison chart on the Cisco Website, please provide me that link supporting number of DMZ's.

Regards,

Farhan.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2014 01:32 AM

Hi,

I don't think the ASA really has a concept of DMZ ports/interfaces other than on ASA5505 and maybe some special model of ASA. Maybe it was ASA V1000.

In the normal ASA5500 Series and ASA5500-X Series the only limitation you have is either the amount of physical ports of if you use Trunk interface then the maximum supported Vlan ID amount. The amount of DMZs you configure is only limited by those.

There is no configuration on the ASA that would define the port as some sort of DMZ port. Generally you would just configure the interfaces ACL so that connections could not be initiated from behind this interface to the internal network.

If you want to check the supported Vlan ID amount of the ASA you have you can check this document

http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/at_a_glance_c45-701635.pdf

Seems your ASA model supports 50 Vlan IDs. As an extreme example it would seem to me that you could configure a single Trunk interface with 50 subinterfaces and also use the remaining 5 physical interfaces for some purpose. Though that probably would not be the ideal setup but just an example.

- Jouni

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-17-2014 01:34 AM

The 5512 can be configured with 50 VLANs if you have a base license installed, and 100 VLANs if you have a security plus license installed. Keep in mind that a DMZ is not a feature on the ASA but just a description of the type of network that is connected to the device.  So you could have as many DMZs as there are VLANs and physial interfaces on the ASA.

Each physical interface can be divided into sub-interfaces.  So you can have several VLANs associated with a single physical interface.  I am unsure if there is a limit to how many sub-interfaces can be configured on a single physical interface, but I believe it is the same as the number of VLANs your device supports.

In addition to this you can configure each physical port (that is not used for sub-interfaces) as a DMZ.  The only difference here is how you would configure the switch the ASA is connected to.  When using sub-interfaces you would need to trunk the switch port connected to the ASA, while if using a physical port you would need to configure that switch port as an access port.

So if you have a security plus license and have 6 GE ports you could have, theoretically, 106 DMZs

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-17-2014 01:32 AM

Hi,

I don't think the ASA really has a concept of DMZ ports/interfaces other than on ASA5505 and maybe some special model of ASA. Maybe it was ASA V1000.

In the normal ASA5500 Series and ASA5500-X Series the only limitation you have is either the amount of physical ports of if you use Trunk interface then the maximum supported Vlan ID amount. The amount of DMZs you configure is only limited by those.

There is no configuration on the ASA that would define the port as some sort of DMZ port. Generally you would just configure the interfaces ACL so that connections could not be initiated from behind this interface to the internal network.

If you want to check the supported Vlan ID amount of the ASA you have you can check this document

http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/at_a_glance_c45-701635.pdf

Seems your ASA model supports 50 Vlan IDs. As an extreme example it would seem to me that you could configure a single Trunk interface with 50 subinterfaces and also use the remaining 5 physical interfaces for some purpose. Though that probably would not be the ideal setup but just an example.

- Jouni

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-17-2014 01:34 AM

The 5512 can be configured with 50 VLANs if you have a base license installed, and 100 VLANs if you have a security plus license installed. Keep in mind that a DMZ is not a feature on the ASA but just a description of the type of network that is connected to the device.  So you could have as many DMZs as there are VLANs and physial interfaces on the ASA.

Each physical interface can be divided into sub-interfaces.  So you can have several VLANs associated with a single physical interface.  I am unsure if there is a limit to how many sub-interfaces can be configured on a single physical interface, but I believe it is the same as the number of VLANs your device supports.

In addition to this you can configure each physical port (that is not used for sub-interfaces) as a DMZ.  The only difference here is how you would configure the switch the ASA is connected to.  When using sub-interfaces you would need to trunk the switch port connected to the ASA, while if using a physical port you would need to configure that switch port as an access port.

So if you have a security plus license and have 6 GE ports you could have, theoretically, 106 DMZs

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Syed Farhan Ali
Level 4
Level 4
In response to Marius Gunnerud

‎02-24-2014 03:41 AM

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card