Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1396
Views
10
Helpful
3
Replies

Cisco ASA 5555-X with CloudStack

Go to solution
alsayegh
Level 1
Level 1

‎06-03-2020 09:39 AM

Hello All,

 

My infrastructure is composed of 4 servers, KVM Switch, PDU, a Cisco Catalyst switch, and Cisco ASA 5555-X with FirePOWER firewall that is expanded with 6-port Ethernet adapter for a total of 14 Ethernet ports. I want to use this infrastructure to deploy small-scale CloudStack based cloud system as shown in the attached figure. Note that in this deployment, there is one public IP where the traffic is NAT forwarded to the management server and the rest is on local IP. Since my planned deployment is small, I would like to eliminate the switch altogether and use the firewall only. Aside from being not the best practice, would this be technically possible? i.e. to configure a firewall so that it can eliminate the need for a Layer-2 switch and operate my cloud using only the firewall?

 

Thank you.

Labels:
Preview file
50 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-04-2020 08:33 PM

No. the ASA 5555-X ports cannot act as switch ports - only as layer 3 routed ports. That applies to both the built-in and expansion module ports.

Some of the newer models like the Firepower 1100 series or recently discontinued ASA 5506-X have the capability to configure ports as switch ports.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to alsayegh

‎06-05-2020 05:34 AM

Yes if you change the overall firewall mode to transparent the ports aren't routed. But then the firewall cannot act as a gateway as you show in your design. The same subnet needs to be on both inside and outside. You also still do not get switching between "inside" interfaces.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-04-2020 08:33 PM

No. the ASA 5555-X ports cannot act as switch ports - only as layer 3 routed ports. That applies to both the built-in and expansion module ports.

Some of the newer models like the Firepower 1100 series or recently discontinued ASA 5506-X have the capability to configure ports as switch ports.

Go to solution
alsayegh
Level 1
Level 1
In response to Marvin Rhoads

‎06-04-2020 11:07 PM

Thank you Marvin for answering my question. L3 routed ports means that, from a networking point of view rather than from security point of view, the ASA 5555-X behaves like a router or like an L3 switch?

Furthermore, the ASA 5555-X can be deployed in transparent mode as well as in routed mode. Cisco documentation states that in transparent mode, the device behaves as a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall”. How do you explain that if the ports only act as Layer 3 routed ports?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to alsayegh

‎06-05-2020 05:34 AM

Yes if you change the overall firewall mode to transparent the ports aren't routed. But then the firewall cannot act as a gateway as you show in your design. The same subnet needs to be on both inside and outside. You also still do not get switching between "inside" interfaces.

Customers Also Viewed These Support Documents