cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1396
Views
10
Helpful
3
Replies

Cisco ASA 5555-X with CloudStack

alsayegh
Level 1
Level 1

Hello All,

 

My infrastructure is composed of 4 servers, KVM Switch, PDU, a Cisco Catalyst switch, and Cisco ASA 5555-X with FirePOWER firewall that is expanded with 6-port Ethernet adapter for a total of 14 Ethernet ports. I want to use this infrastructure to deploy small-scale CloudStack based cloud system as shown in the attached figure. Note that in this deployment, there is one public IP where the traffic is NAT forwarded to the management server and the rest is on local IP. Since my planned deployment is small, I would like to eliminate the switch altogether and use the firewall only. Aside from being not the best practice, would this be technically possible? i.e. to configure a firewall so that it can eliminate the need for a Layer-2 switch and operate my cloud using only the firewall?

 

Thank you.

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

No. the ASA 5555-X ports cannot act as switch ports - only as layer 3 routed ports. That applies to both the built-in and expansion module ports.

Some of the newer models like the Firepower 1100 series or recently discontinued ASA 5506-X have the capability to configure ports as switch ports.

View solution in original post

Yes if you change the overall firewall mode to transparent the ports aren't routed. But then the firewall cannot act as a gateway as you show in your design. The same subnet needs to be on both inside and outside. You also still do not get switching between "inside" interfaces.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

No. the ASA 5555-X ports cannot act as switch ports - only as layer 3 routed ports. That applies to both the built-in and expansion module ports.

Some of the newer models like the Firepower 1100 series or recently discontinued ASA 5506-X have the capability to configure ports as switch ports.

Thank you Marvin for answering my question. L3 routed ports means that, from a networking point of view rather than from security point of view, the ASA 5555-X behaves like a router or like an L3 switch?

Furthermore, the ASA 5555-X can be deployed in transparent mode as well as in routed mode. Cisco documentation states that in transparent mode, the device behaves as a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall”. How do you explain that if the ports only act as Layer 3 routed ports?

Yes if you change the overall firewall mode to transparent the ports aren't routed. But then the firewall cannot act as a gateway as you show in your design. The same subnet needs to be on both inside and outside. You also still do not get switching between "inside" interfaces.