https://community.cisco.com/t5/network-security/adding-a-new-vlan-to-existing-dmz-interface-on-asa-5520/m-p/2500692#M234458 <P>I have a pair of ASA 5520's in active/standby with a leg off the firewall being used for the DMZ servers. &nbsp;The interface has an IP address on it. &nbsp;Now I need to add a second vlan off this interface. &nbsp;I realize that I will have to pull off the Ip address off the interface and then create 2 sub-interfaces. &nbsp;But any one know what other changes will I have to make? &nbsp;Will I recreate all the access-lists or will they work if the nameif is recreated?</P><P>I am trying to figure out how much time I need to tell people for downtime.</P><P>&nbsp;</P><P>I was going to shut down the standby firewall and I screw something up majorly, use that one to go back to a working state. &nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>As a side note, is there anywhere I can test my configs before applying them? &nbsp;I have heard of GNS3, is there something similar online?</P><P>&nbsp;</P><P>Thanks</P> Tue, 12 Mar 2019 04:51:00 GMT johnvojtech 2019-03-12T04:51:00Z https://community.cisco.com/t5/network-security/adding-a-new-vlan-to-existing-dmz-interface-on-asa-5520/m-p/2500692#M234458 <P>I have a pair of ASA 5520's in active/standby with a leg off the firewall being used for the DMZ servers. &nbsp;The interface has an IP address on it. &nbsp;Now I need to add a second vlan off this interface. &nbsp;I realize that I will have to pull off the Ip address off the interface and then create 2 sub-interfaces. &nbsp;But any one know what other changes will I have to make? &nbsp;Will I recreate all the access-lists or will they work if the nameif is recreated?</P><P>I am trying to figure out how much time I need to tell people for downtime.</P><P>&nbsp;</P><P>I was going to shut down the standby firewall and I screw something up majorly, use that one to go back to a working state. &nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>As a side note, is there anywhere I can test my configs before applying them? &nbsp;I have heard of GNS3, is there something similar online?</P><P>&nbsp;</P><P>Thanks</P> Tue, 12 Mar 2019 04:51:00 GMT https://community.cisco.com/t5/network-security/adding-a-new-vlan-to-existing-dmz-interface-on-asa-5520/m-p/2500692#M234458 johnvojtech 2019-03-12T04:51:00Z https://community.cisco.com/t5/network-security/adding-a-new-vlan-to-existing-dmz-interface-on-asa-5520/m-p/2500693#M234459 <P><EM><STRONG>But any one know what other changes will I have to make? </STRONG></EM>&nbsp;</P><P>With regards to setting up the interfaces no other changes need to be made.&nbsp; Just add the security level, name, IP and no shut and you are good to go.</P><P><EM><STRONG>Will I recreate all the access-lists or will they work if the nameif is recreated?</STRONG></EM></P><P>Depending on how the ACLs are set up, I would assume you will not have to recreate these (unless they reference the interface you are pulling down.</P><P>You will need to recreate all commands that reference the interface you are pulling down. So, lets take the ACL for example. The access-group command will need to be reappled as it references the ingress interface (lets call the interface inside).&nbsp; So if you have an ACL assigned to the inside interface you will need to reassign it to that interface after you have recreated it as a sub interface</P><P>you will also need to recreate all NAT statements that reference the interface you are pulling down.</P><P>So, I suggest you go through your configuration file and take note of all the commands that reference the interface.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Thu, 02 Oct 2014 08:55:46 GMT https://community.cisco.com/t5/network-security/adding-a-new-vlan-to-existing-dmz-interface-on-asa-5520/m-p/2500693#M234459 Marius Gunnerud 2014-10-02T08:55:46Z