Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Replace the Existing PIX with ASA

Basically our client has 2 PIX configured as Active/Standby, they decided to replace the devices with ASA. I found out that the existing PIX has 6 interfaces; 1 in, 1 out, 3 DMZs and 1 FO. The ASA that my company supplied was 5520s with just 4GE interfaces and 1 mgmt. What is the best possible solution to complete the migration without adding any module. Is it possible to create a subinterface on one of the physical interface and trunk it?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Replace the Existing PIX with ASA

Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

HTH

Sundar

2 REPLIES

Re: Replace the Existing PIX with ASA

Yes, configure vlan subinterfaces and assign different security levels to the subinterfaces and you'd do this by setting the link from the switch to ASA as a trunk. Try to keep the outside and failover interfaces on a dedicated physical interface, if possible.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

HTH

Sundar

Gold

Re: Replace the Existing PIX with ASA

if you're using stateful failover, be sure the stateful interface is a gig interface. you can use the mgmt interface as a normal data interface by issuing the command "no management-only" on it, and then you still have 5 overall - 4x 10/100/1000, 1x 10/100.

..you can even do subinterfaces (trunking) on the mgmt interface.

123
Views
0
Helpful
2
Replies
CreatePlease login to create content