06-09-2007 08:00 AM - edited 03-11-2019 03:27 AM
I am very familiar with the PIX, but new to ASA5500's.
I have a company that is looking to have a DMZ with mail, and web servers. The connection to the Net is a T1.
In the PIX days, I have no choice but to use a 515 with DMZ.
My understanding now is that I can have this on an ASA5505 with the Security Plus option to have a DMZ.
Question:
1. Is this the right assumption that I can get an ASA5505 with Security Plus for a full DMZ?
2. How many DMZ interfaces? I really only need one and put a switch behind it
3. Does the ASA5505 allow VPN tunnels to be established to it, and also allow Internet access through the same interface? I know in the PIX, that was not allowed.
Thanks!
06-09-2007 05:02 PM
Well I know that Security Plus allow you to have dmz but i'm not 100% that you can have dmz'S.
I have an ASA5505-50-BUN-K9 running with 3 vpn tunnels all my users can use the internet at the same time with no problem.
06-10-2007 05:13 AM
Hi -
Let me try to help.
Q1 - Yes
Q2 - Security Plus license provides 20 vlan interfaces. If you use 1 for outside, 1 for inside, that leaves you 18 left to do what you'd like to. Obviously, you would need to trunk to a switch to use more vlans than the included 8 interfaces.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Q3 - Yes, so does the Pix. Both the ASA and the Pix need "same security level traffic" enabled. The ASA/Pix code denies traffic between the same security level by default, which is the case when VPN users attempt to HairPin and go back to the internet through the same interface they terminate on.
Let us know if you have follow up questions.
thxs
peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide