03-30-2008 05:10 AM - edited 03-11-2019 05:24 AM
Basically our client has 2 PIX configured as Active/Standby, they decided to replace the devices with ASA. I found out that the existing PIX has 6 interfaces; 1 in, 1 out, 3 DMZs and 1 FO. The ASA that my company supplied was 5520s with just 4GE interfaces and 1 mgmt. What is the best possible solution to complete the migration without adding any module. Is it possible to create a subinterface on one of the physical interface and trunk it?
Solved! Go to Solution.
03-30-2008 05:46 AM
Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
HTH
Sundar
03-30-2008 05:46 AM
Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
HTH
Sundar
03-30-2008 05:19 PM
if you're using stateful failover, be sure the stateful interface is a gig interface. you can use the mgmt interface as a normal data interface by issuing the command "no management-only" on it, and then you still have 5 overall - 4x 10/100/1000, 1x 10/100.
..you can even do subinterfaces (trunking) on the mgmt interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide