Cisco Support Community
Community Member

ASA Question

Hi all.

I'm now managing two ASA's (5520 and 5510). These have been in my mind configured poorly.

The 5510 has its external interface connected to a DMZ interface of the 5520.

SSL and IPSec vpns are terminated to the external interface of the 5510.

Can I easily add configuration to the 5520 without destroying the connectivity to the 5510?

I'm 95% sure I can. A few people wish to lab this. I'm sure it doesn't require a lab.

Effectively terminating ssl and ipsec on both "external" interfaces. I'll then migrate users to the 5520.

Appreciate any information!!!

Hall of Fame Super Blue

Re: ASA Question


It really depends on what configuration you are adding to the ASA 5520. I can think of a lot of config you could add that would not impact the 5510 but then again i can think of config that would.

Could you be a bit more specific in the config you want to add ?


Community Member

Re: ASA Question

Thanks John.

Crypto map

crypto dynamic-map

relevant isakmp policies

tunnel-group commands


Enough to terminate SSL and Ipsec to the external interface of the 5520, while concurrently terminating ssl and ipsec on the 5510.

I plan on not overlapping an Ip subnets for remote users until i sign off on 5520 remote access.

Configuration of subnets to be ported in order to decomission the 5510.

No LAN-2-LAN. Nothing really fancy. Just the ability to run conncurent ssl vpn and ipsec vpn to the two asa's. Just very vanilla conifguration.

Does that help?

I just don;'t want to find out during configu, my 5520 is intercepting antyhing for the 5510

clear as mud?


Hall of Fame Super Blue

Re: ASA Question


No, a bit clearer than mud :)

I can't see any reason why you cannot have both firewalls terminating ssl and IPSEC traffic on their external interfaces. As long as you keep the addressing totally separate so there is no confusion in routing the packets you should be fine.


Community Member

Re: ASA Question

Thanks champ!

No sure why the external interface of the 5510 was dropped into the DMZ of the 5520.

I'd have done the internal perhaps and run the two externals in the same subnet.

But anyway.........


Hall of Fame Super Blue

Re: ASA Question

Yes, so would i but i have seen it done like this before.

Advantage is that you can make sure only IPSEC / ssl traffic goes to the outside interface of the 5510.

But you could do this on your upstream router.

Downside, and it can be quite a big one. It can really play havoc with NAT etc.


CreatePlease to create content