Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
3
Replies

Cisco ASA Setup Question

Go to solution
John Apricena
Level 4
Level 4

‎01-04-2013 08:57 AM - edited ‎03-11-2019 05:43 PM

Hello All,

We are thinking of introducing ASA's into our setup instead of using FWSM for our firewalls with our 6500. Currently we use multiple contexts with the FWSM, as we provide hosting services for multiple clients and want them behidn their own firewall. My question is how can we make this happen with an ASA. Since with the FWSM we use the backplane of the 6500 and SVI's for all interfaces between them. For example if we have 20 clients what will be the ideal setup for us to use with an ASA. If we can infact use mutiple contexts how can we? Is there a way we can maybe bundle all the ports in the ASA into the 6500 as a layer two trunk port and continue to use SVIs to manage all the clients. All advice is greatly appreciated and thanks so much in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-04-2013 09:23 AM

Hi,

You can use the ASA for the same purpose as the current FWSM.

I have also migrated firewall enviroments from old FWSMs to new ASAs.

Multiple Context mode

  • You will naturally need an appropriate license to get the amount of Security Context you need for your purposes
  • ASA will by default be in "single" mode 
    • You will be able to convert the ASA to multiple context mode with the command "mode multiple"
  • When set to "mode multiple" you will need to reboot the ASA 
    • ASA will convert the current configuration to be the configuraiton of "context admin" which will serve the same purpose as the "context admin" in the FWSM

Connectivity to the Core

  • You can use multiple physical interfaces as Trunks between the ASA and the C6500 
    • You can for example have separate Trunks for the following purposes 
      • LAN Vlan IDs
      • WAN Vlan IDs
      • DMZ Vlan IDs
      • etc
  • You can use multiple physical interfaces as Port-Channel between the ASA and the C6500
    • You will need atleast 8.4(1) software to be able to configure Port-channel on the ASA as that is the software level the command was introduced
    • You can then bring each Vlan ID you need to the ASA through the Port-channel
    • Each Vlan ID/SVI on the C6500 will correspond a Port-channelx.abcd sub-interface of the Port-channel which will then be attached under the Security Context just like any other interface.
  • You can combinations of the above

I suggest referring to the configuration guide of the of software level you are getting for the ASA firewalls for specific information.

You can find them here

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

If you have some specific question, please ask

Please rate if you have found the information to be helpfull

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-04-2013 09:23 AM

Hi,

You can use the ASA for the same purpose as the current FWSM.

I have also migrated firewall enviroments from old FWSMs to new ASAs.

Multiple Context mode

  • You will naturally need an appropriate license to get the amount of Security Context you need for your purposes
  • ASA will by default be in "single" mode 
    • You will be able to convert the ASA to multiple context mode with the command "mode multiple"
  • When set to "mode multiple" you will need to reboot the ASA 
    • ASA will convert the current configuration to be the configuraiton of "context admin" which will serve the same purpose as the "context admin" in the FWSM

Connectivity to the Core

  • You can use multiple physical interfaces as Trunks between the ASA and the C6500 
    • You can for example have separate Trunks for the following purposes 
      • LAN Vlan IDs
      • WAN Vlan IDs
      • DMZ Vlan IDs
      • etc
  • You can use multiple physical interfaces as Port-Channel between the ASA and the C6500
    • You will need atleast 8.4(1) software to be able to configure Port-channel on the ASA as that is the software level the command was introduced
    • You can then bring each Vlan ID you need to the ASA through the Port-channel
    • Each Vlan ID/SVI on the C6500 will correspond a Port-channelx.abcd sub-interface of the Port-channel which will then be attached under the Security Context just like any other interface.
  • You can combinations of the above

I suggest referring to the configuration guide of the of software level you are getting for the ASA firewalls for specific information.

You can find them here

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

If you have some specific question, please ask

Please rate if you have found the information to be helpfull

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-04-2013 09:40 AM

For information about the different ASA models

  • Performance
  • Supported Vlan count
  • Supported Context count
  • Interface count and types

Check the following documents

ASA 5500 Series (Includes the 5585-X models too)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

ASA 5500-X Series (Models that will replace the previous 5500 series)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

If I didnt miss something it seems the datasheet for the newer models doesnt for some reason list the supported amount of the Security Contexts.

Using the latest software version on the ASA will bring some new features available to be used in Multiple Context Mode like L2L VPN under the Security Contexts which wasnt previously possible. It also enables using Routing Protocols in Multiple Context Mode etc.

- Jouni

0 Helpful

Go to solution
John Apricena
Level 4
Level 4

‎01-04-2013 09:54 AM

Jouni as always much thanks for your assistance!! I will use all the info you've provided in planning a mgration over from our FWSMs to ASAs. Thanks again!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card