Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
1
Replies

Adding a new Vlan to existing DMZ interface on ASA 5520

johnvojtech
Level 1
Level 1

‎10-01-2014 12:04 PM - edited ‎03-11-2019 09:51 PM

I have a pair of ASA 5520's in active/standby with a leg off the firewall being used for the DMZ servers.  The interface has an IP address on it.  Now I need to add a second vlan off this interface.  I realize that I will have to pull off the Ip address off the interface and then create 2 sub-interfaces.  But any one know what other changes will I have to make?  Will I recreate all the access-lists or will they work if the nameif is recreated?

I am trying to figure out how much time I need to tell people for downtime.

 

I was going to shut down the standby firewall and I screw something up majorly, use that one to go back to a working state.  

 

 

As a side note, is there anywhere I can test my configs before applying them?  I have heard of GNS3, is there something similar online?

 

Thanks

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎10-02-2014 01:55 AM

But any one know what other changes will I have to make?  

With regards to setting up the interfaces no other changes need to be made.  Just add the security level, name, IP and no shut and you are good to go.

Will I recreate all the access-lists or will they work if the nameif is recreated?

Depending on how the ACLs are set up, I would assume you will not have to recreate these (unless they reference the interface you are pulling down.

You will need to recreate all commands that reference the interface you are pulling down. So, lets take the ACL for example. The access-group command will need to be reappled as it references the ingress interface (lets call the interface inside).  So if you have an ACL assigned to the inside interface you will need to reassign it to that interface after you have recreated it as a sub interface

you will also need to recreate all NAT statements that reference the interface you are pulling down.

So, I suggest you go through your configuration file and take note of all the commands that reference the interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card