Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
10
Helpful
6
Replies

ASA 5505 - how many subnets

Go to solution
ph0enix
Level 1
Level 1

‎06-29-2009 06:15 PM - edited ‎03-11-2019 08:49 AM

Hi,

I have a multi-homed network (5 subnets). Can I use an ASA-5505 to protect them? I know it has 8 FE ports but can all of them be configured with different security levels?

Thanks!

J.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
branfarm1
Level 4
Level 4
In response to ph0enix

‎07-01-2009 04:23 AM

Ok -- let me see if I understand it better:

You have a linux box that is acting as the gateway for 5 different subnets, coming in from 4 seperate links from a pair of switches. You want to replace the linux box with the 5505.

The 5505 can definitely handle 5 subnets, and you will have the option of putting each subnet into the ASA on multiple links, or bringing them in on one link via an 802.1q trunk. Either way, you will have to define the 5 VLAN's and 5 VLAN interfaces on your 5505 and have your hosts point to those interfaces for the gateway. The 5505 (or any other model) will not support configuring multiple IP's on one interface, so you will have to have a seperate VLAN interface/VLAN for each address range.

How many total hosts do you have in this setup? How do you connect up to the internet with your two /24 ranges? If you plan on having a larger number of hosts, I would definitely consider putting in a L3 switch to handle all your routing, and keeping the 5505 to handle the firewalling.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
branfarm1
Level 4
Level 4

‎06-29-2009 07:02 PM

Hi J,

With the 5505 Base license you can only have 3 VLAN's configured. With the Security Plus license you can have up to 20.

Sounds like you will need the Security Plus license for your 5505 if you want to protect 5 VLANs.

See here for more details: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

--Brandon

Go to solution
ph0enix
Level 1
Level 1
In response to branfarm1

‎06-30-2009 07:52 AM

Thanks Brandon!

I have the Security Plus bundle and I'm licensed for 20 VLANS.

I have another question though. I have two subnets running over the same physical ethernet. They're mixed together - just using different router addresses. Can the ASA accomodate this? I'm currently using a Linux firewall that has the second subnet's address (gateway) aliased on a virtual interface.

Thank you!

J.

0 Helpful

Go to solution
branfarm1
Level 4
Level 4
In response to ph0enix

‎06-30-2009 11:21 AM

J,

If my understanding of your second question is correct, you have one physical link between your ASA and your linux box acting as a gateway for both VLANs. Typically you would put the gateway addresses on the 5505 VLAN interfaces, and assign the switch ports to the correct VLAN. If you want two subnets worth of traffic to go to the linux box you will have to configure NAT'ing so that one of your VLAN is NAT'd onto the physical link in the correct address space. The physical link would also be NAT'ing but would only have one an address on one of the subnets.

Hope that makes sense...

Go to solution
ph0enix
Level 1
Level 1
In response to branfarm1

‎06-30-2009 11:47 AM

Brandon,

I don't think I was clear enough in my previous post. Let me try explaining again.

I'm not using NAT. I have two 24 bit subnets with public IP addresses. For the sake of this conversation, let's assume that the subnets are:

64.233.169.0/24

17.112.152.0/24

The internal traffic to/from both of the subnets is flowing through the same set of switches linked together. The Linux system is a router/gateway/firewall for 3 other subnets as well as the two I'm describing (it has 4 NICs). One of the NICs has these two IP addresses configured on it:

64.233.169.1

17.112.152.1

They serve as respective default routers for each of the subnets mentioned above. I'm looking to replace the Linux machine with the ASA 5505. Can it accommodate my configuration?

Thanks again for your help!

J.

0 Helpful

Go to solution
branfarm1
Level 4
Level 4
In response to ph0enix

‎07-01-2009 04:23 AM

Ok -- let me see if I understand it better:

You have a linux box that is acting as the gateway for 5 different subnets, coming in from 4 seperate links from a pair of switches. You want to replace the linux box with the 5505.

The 5505 can definitely handle 5 subnets, and you will have the option of putting each subnet into the ASA on multiple links, or bringing them in on one link via an 802.1q trunk. Either way, you will have to define the 5 VLAN's and 5 VLAN interfaces on your 5505 and have your hosts point to those interfaces for the gateway. The 5505 (or any other model) will not support configuring multiple IP's on one interface, so you will have to have a seperate VLAN interface/VLAN for each address range.

How many total hosts do you have in this setup? How do you connect up to the internet with your two /24 ranges? If you plan on having a larger number of hosts, I would definitely consider putting in a L3 switch to handle all your routing, and keeping the 5505 to handle the firewalling.

0 Helpful

Go to solution
ph0enix
Level 1
Level 1
In response to branfarm1

‎07-08-2009 11:51 AM

Brandon,

Thanks again for the help. I've got about 200 hosts total.

J.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card