topic Re: Security zone across two physical interfaces in Network Security

Security zone across two physical interfaces

fsebera — Mon, 11 Mar 2019 17:53:57 GMT

I have an ASA-5520 running IOS 8-0-4(7).

I have 24MB flash and 80MB DRAM.

I want to install a 4-port GE SSM module and interconnect two (2) different Cisco 3750 switches as such:

ASA-5520-1 -- g0/0 ------ c3750-A -- g1/0/1

ASA-5520-1 -- g1/0 ------ c3750-B -- g1/0/2

interface GigabitEthernet0/0

Description Built-in interface, connects to SWITCH-A

no nameif

no security-level

no ip address

interface GigabitEthernet1/0

Description Module SSM interface, connects to SWITCH-B

no nameif

no security-level

no ip address

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet1/0

nameif DMZ

security-level 50

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.254

Will the ASA-5520 Firewall allow this setup where I combine two firewall interfaces as a single security zone but then connect each firewall interface to two different switches?

Am I missing something?

Thanks for any support!!

Frank

Re: Security zone across two physical interfaces

Federico Coto Fajardo — Wed, 02 Jun 2010 15:31:30 GMT

Hi Frank,

Both Gig0/0 and Gig0/1 are part of the redundant interface1
Only one will be passing traffic, the other will be in standby.

I am not able to test it right now, but I think it should work as long as the 3750 has both g1/0/1 and g1/0/2 on the same VLAN.

Federico.

Re: Security zone across two physical interfaces

fsebera — Wed, 02 Jun 2010 15:36:17 GMT

Hey Federico,

The ASA-5520 interfaces are G0/0 and G1/0. (Not G0/0 and G0/1)

G0/0 is build into the ASA

G1/0 is on the 4-port module

Doesyour answer still apply?

Tks

Frank

Re: Security zone across two physical interfaces

Federico Coto Fajardo — Wed, 02 Jun 2010 15:43:25 GMT

Frank,

To be honest I don't think it should make any difference that both Gig interfaces on the ASA are on the chassis itself or on the SSM module.

But.... I have not tried it and cannot tell you for sure (i'm just letting you know what I think ;p)

Are you in a position to test it?

Otherwise I can test it but not at this time 🙂

Federico.

Re: Security zone across two physical interfaces

fsebera — Wed, 02 Jun 2010 16:08:47 GMT

Hi Federico,

I currently do not have the 4-port module. If the ASA allows the combining of multiple interfaces and then you assign the security zone to the logical interface, it really does not have to forward traffic out both interfaces. Only issue I need to figure out is how to make g0/0 the active and g1/0 the failover.

Once fedex drops off my modules, I can test.

Thanks again

Frank

Re: Security zone across two physical interfaces

Federico Coto Fajardo — Wed, 02 Jun 2010 18:03:26 GMT

Yes that's correct.

Both interfaces (gig0/0 and gig1/0) will be part of a logical interface.

This redundant logical interface will be the one passing traffic (using the physical gig0/0 as the primary interface and if it fails, using the gig1/0 interface or vice versa).

Federico.