I am setting up 2 redundant 5520's in failover mode to replace a Checkpoint FW. The new ASA's have 4 Gig and 1 fast ehternet interfaces to use. I need to establish 2 DMZ's, 2 outside connections, and obviously 1 inside interface. Since one interface needs to be for failover, we will be short 2 physical interfaces I think. Is my only choice to use trunking and VLAN's to get the other 2 interfaces I need. We will be running in routed single context mode. Is this correct? Any help is appreciated
There is nothing wrong using virtual interfaces ASA5520 can have up to 150 Virtual interfaces, there is plenty to work with with gigabit interfaces in the firewall, the question is how you would want to plan out the use of gigabit interface and its virtual interfaces in your network perimeter such as inside, DMZ, and outside and if you will be using dedicated switches to separate from inside, DMZ and outside.
1-You could use the 1-FastEthernet interface and trunk it to a DMZ defined switch
Create the two virtual interfaces in your firewall and l2 DMZ vlans in the switch.
On this interface you will have 2 DMZ networks isolated if using separate DMZ switch. You still have for more growth on DMZs for future if need more DMZ networks off this interface. Remember you have up to 150 virtual interfaces for asa5520.
2-One Gig for your inside interface ( here you could also create virtual interfaces if you don't have L3 switch for your inside network that you would require more subnets using same sec level on sub interfaces)
3-One Gig for your outside interface, same principle with 802.1q virtual interfaces if you need 2 outside connections.
One other thing to know is that you can use the management0/0 interface as a LAN failover link this I gues would be a last resort to use if you are aout of physical ports but if you want to use a gigabit for LAN failover link that is fine.
The above scenario will still leave you with two Gigabit interfaces free plus mgt0/0 interface that can also be used as a routed regular port in your model.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :