Solved: ASA 5510 and Sub-Interfaces

jimmyc_2 · ‎02-13-2013

Can I have eight seperate firewall zones on a 5510 with only 4 ports, and using a Cat 2960 switch?

I need to have inside, outside, DMZ-1, DMZ-2, DMZ-3, DMZ-4, DMZ-5 and DMZ-6.

Can each zone have it's own security level and ACLs?

Many thanks.

Jouni Forss · ‎02-13-2013

Hi,

Are you planning on just building a network where the ASA5510 is the gateway for all traffic and behind it you will only have a L2 switch network with Cisco 2960 switches?

If yes, then you can naturally create Vlans for each network segment and configure Trunk/Trunks between the ASA5510 and the closest L2 Switch.

Other possibility is to create a Port-channel (For DMZs) from 2 physical interfaces on the ASA and use the 2 remaning ones and Management for the other purposes. Though Port-channel requires atleast software level 8.4(1) which in turn has the new NAT format and if you have an old ASA5510 then you also might need a RAM upgrade on the ASA.

On the ASA side you will have a subinterface for each Vlan ID that you configured on the L2 switches and also their L3 gateway. You can have a separate ACL for each of the interfaces.

Also one thing to consider in this setup is the performance of the ASA5510. I think its mentioned Throughput is 300Mbps. So take that into account with your setup.

- Jouni

View solution in original post

Jouni Forss · ‎02-13-2013

Hi,

Are you planning on just building a network where the ASA5510 is the gateway for all traffic and behind it you will only have a L2 switch network with Cisco 2960 switches?

If yes, then you can naturally create Vlans for each network segment and configure Trunk/Trunks between the ASA5510 and the closest L2 Switch.

Other possibility is to create a Port-channel (For DMZs) from 2 physical interfaces on the ASA and use the 2 remaning ones and Management for the other purposes. Though Port-channel requires atleast software level 8.4(1) which in turn has the new NAT format and if you have an old ASA5510 then you also might need a RAM upgrade on the ASA.

On the ASA side you will have a subinterface for each Vlan ID that you configured on the L2 switches and also their L3 gateway. You can have a separate ACL for each of the interfaces.

Also one thing to consider in this setup is the performance of the ASA5510. I think its mentioned Throughput is 300Mbps. So take that into account with your setup.

- Jouni

jimmyc_2 · ‎02-13-2013

Hi Jouni,

I meant to say sub-interfaces, not virtual interfaces.

Fortunately, we do have the latest version. I'll look into the throughput issue.

It looks like the bottom line is that the ASA FW can have six zones with only four interfaces. Correct?

Can the IDS/IPS module examine all six, or is that limited somehow?

Thanks for prompt response.

Jouni Forss · ‎02-13-2013

Hi,

Sadly I cant comment on the IDS/IPS module as I have never really used it (others in my company have handled that).

Heres a good reference for the ASA firewall models, both "old" and new

ASA 5500 Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

ASA 5500-X Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

Regarding the Zones/Security-levels/Subinterfaces

Basicly the amount of Subintefaces you can create is only limited by the ASA license. If you look at the above ASA 5500 Series document you will notice that the basic 5510 models supports 50 Vlans and ASA 5510 with Security Plus License supports 100 Vlans.

So in essence you could configure 50/100 Subinterfaces on the ASA depending on your license but naturally at the sametime you can see that performance would most likely become a problem but it would still be possible to configure 50/100 subinterfaces and ACLs to go with them. You could even use 1 single physical interface and bring all of the said Vlans through that same physical interface BUT again this would be far from ideal but still possible.

You can confirm you ASA licensing by using the command "show version". At the end of the list it should state either Base License or Security Plus (if I remember correctly)

Hopefully the above information was helpfull

- Jouni