Solved: ASA Cluster on 5585 and DMZ

Maxim Zimovets · ‎05-20-2014

Hello everyone!

It's time for us to move from old well known PIX-525. Right now main their main duty is to firewall between several networks. It looks like we can take a pair of ASA-5585 and replace failover pair of PIXes.

I checked the documentation and it understood we could use Routed Firewall Mode with Equal-Cost Multi-Path Routing. But in the documentation we usually see only two segments - inside and outside (it's perfectly enough for DC). But in my case we have several DMZs on our PIX. Can we create DMZs in ASA cluster? Would it be supported configuration?

With best regards,

Maxim

Marvin Rhoads · ‎05-20-2014

ECMP on the ASA has some limitations, as do routing protocols in general. There is a tech note on ASA ECMP here and the routing protocol limitations are covered in the configuration guide.

The number of physical interfaces available on a 5585-X is up to 12 10/100/1000 Mbps and 8 10 Gbps physical interfaces, depending on the SSP type. The primary inside and outside interfaces plus the cluster control link(s) will use up some of those. You could use all of the rest for DMZs if your design needed that. you can further subdivide via subinterfaces (VLANs) - the ASA 5585 supports up to 250 of those.

View solution in original post

Marvin Rhoads · ‎05-20-2014

You're mixing terms a bit - ECMP is a concept applied to dynamic routing protocols and completely distinct from DMZs or security zones.

Any ASA configuration (including a cluster of 5585s) supports DMZs - as many as you have physical interfaces or logical subinertfaces available.

Maxim Zimovets · ‎05-20-2014

I don't mix terms. I just presented proposed configuration for my setup.

If you take a look into configuration guide You will probable see that in transparent mode ASA can only have only two segments - inside and outside. In the same documentation for ASA clustering all examples also have only two segments. I did not catch any restrictions why not to have DMZ. That was why I went to the support form and asked.

If You are sure, that with ASA cluster we can have as many DMZs as we need, that will very good.

Please, confirm it.

With best regards

Marvin Rhoads · ‎05-20-2014

ECMP on the ASA has some limitations, as do routing protocols in general. There is a tech note on ASA ECMP here and the routing protocol limitations are covered in the configuration guide.

The number of physical interfaces available on a 5585-X is up to 12 10/100/1000 Mbps and 8 10 Gbps physical interfaces, depending on the SSP type. The primary inside and outside interfaces plus the cluster control link(s) will use up some of those. You could use all of the rest for DMZs if your design needed that. you can further subdivide via subinterfaces (VLANs) - the ASA 5585 supports up to 250 of those.

subriyer · ‎06-04-2014

Maxim, there is no limitation of just inside and outside in a cluster environment. You can configure as many zones that you may need (for example, dmz, sales, engineering, production etc.) apart from inside and outside that is detailed in the topology.

The topology contained inside & outside to keep the diagram readable for the users.

Regards

Iyer