Extranet PIX

gavin.mckee · ‎08-30-2006

I am thinking about updating our PIX 515 to a new ASA5510. We have two pix (failover pair) for our internet connection and two PIX (failover pair) for our extranet.

Take a look the attachment. Could I use another interface on the ASA to terminate the extranet traffic, thus only buy 2 ASA5510 instead of 4?

Thanks

Gavin

cpembleton · ‎08-30-2006

You could vlan the interfaces for the DMZ and extranet.

There is also an expansion card with 4 gig nics.

4GE-SSM

Thanks,

Chad

gavin.mckee · ‎08-30-2006

The ASA device that we are considering has 5 fast ethernet ports. 1 outside 1 inside 1 dmz 1 stateful failover (LAN Failover) and I am assuming that we can use the 5th for the extranet. Do you think this is a good option?

Gav

sundar.palaniappan · ‎08-30-2006

Gavin,

IMHO, it is a good security/network practice to have dedicated physical interfaces for various segments, if possible. This way the traffic from two different segments doesn't traverse the same trunk and any interface outage will affect only that particular segment rather than multiple segments.

Ofcourse, if you don't have enough physical int for all your needs then configuring VLAN interfaces is the way to go.

HTH,

Sundar

ajagadee · ‎08-30-2006

Gavin,

Yes, this should be possible.

Some of the things to be considered before this deployment are:

1. Firewall Throughput

2. Maximum Connections

3. Scalability

4. Port Density

5. Threat Mitigation

Try and collect statistics on the CPU, Bandwidth, Connections, PPS, etc as of today and then decide whether you are going to be OK going with same chassis or different chassis solution.

I hope it helps.

Regards,

Arul