We have a Cisco Pix 515e (with Quad card for 4 DMZ's), we are thinking of upgrading as the CPU can get high etc. What is a the new model to go for that does that same job but gives us more CPU and memory?
YES, your are right, ASA is replacement of PIX, since PIX does only the firewall/vpn part, where as ASA does IDS,IPS,Anti-Virus engine plus the PIX features.
You can use either ASA5510-SEC-BUN-K9 which has 5 Fast Ethernet interfaces or ASA5520-BUN-K9 that has 4 Gigabit Ethernet interfaces + 1 Fast Ethernet interface.
At the same time you can use VLANs to create multiple sub-interfaces from a single DMZ on ASA.
As an example - ASA5510-BUN-K9 (has 3 Fast Ethernet Interfaces) can support up to 50 VLANs with the Standard and up to 100 VLANs with SecurityPlus license.
So in your situation you will need 4 VLAN interfaces to be configured on the single physical DMZ port and then connect this DMZ port to any VLAN-capable switch.
Hope this will help.
I think you describe my current pix setup, I have 4 ports for the DMZs, each of the 4 ports goes into a separate vlan on my switch. The fast ethernet 0 goes into another vlan where my internet router is and fast ethernet 1 goes to anyother vlan where my lan is. This is 6 ports the 5520 only has 5 how can I get round this?
You need only 3 physical ports:
Inside, outside and DMZ
On a single physical DMZ interface you can have multiple logical VLAN interfaces.
On the switch side you need to configure the switchport as 802.1q trunk.
Here's the link to the documentation - http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
1.) So basically you can have the Fast Ethernet port for the Internet VLAN, one of the Gigabyte ports for the LAN VLAN and the 3rd to a switch which can somehow split a single gigabyte into 4 DMZ's?
2.) Do all Cisco switches do this, I have a 2950, 3550 and a 3560 that the current 4 physical DMZ ports go into?
3.) I suppose if we wanted to keep this structure we could get more ports for a 5520?
You can have multiple VLANs from one physical interface by creating "sub-interfaces". The only catch is the interface at the other end (on your switch for example) would have to be configured as a trunk port to allow multiple VLANs.
Hi, is that put on the global interface or on the port that connects to the ASA?
Our current pix has a quad card for our 4 DMZs these 4 ports just plug into a switch with 4 Vlans, each port has an interface IP so the pix is rather like a router. How will the ASA work? Can we give the 4 VLANs IPs?
That will be placed on the interface of the switch connected to the ASA. Basically what's going to happen is that you configure that switch port to trunk (to allow multiple VLAN traffic through) and then on the physical port on the ASA, you then create new logical subinterfaces for each additional gateway you need (easier to see and do on the asdm). For example e0/0 and e0/1 are used as Outside and Inside so e0/2 is available. I'll then create a new interface for say, VLAN 17 with its appropriate IP address. You'll then see a new interface called e0/2.17 or however you name it.
Great, and in you example you use VLAN 17 on e0/2 (which links to the switch) if I want to add another VLAN down e0/2 I can do this, as I would need 4 for my DMZ's?