Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
5
Replies

upgrade from 5505 to 5516x

Sheraz.Salim
VIP
VIP

‎09-28-2016 07:26 AM - edited ‎03-12-2019 01:19 AM

Kindly please help me here.

we are upgrading our EOL Firewall 5505 to 5516x. as we know 5505 come with a built in swtiching functionality. now we are thinking to bring in the new 5516x and past the config from 5505 to 5516. kindly please advise if it is possible or we have to intruduce the layer 2 swtich. we are not going to using a fancy feathure sourcefire at the moment.

we have only inside and outside zone.

kindly please advise on this.

please do not forget to rate.
Labels:
0 Helpful
5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎09-28-2016 09:53 AM

Hi,

Yes you can introduce a L2 switch and create sub interfaces on the new ASA to allow traffic for a particular VLAN.

I do not think it should be a problem.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-28-2016 07:33 PM

There is no switchport function on the 5516-X so you would have to introduce a layer 2 switch to get that feature.

The feature is missing even on the 5506-X which is closest in form factor to the 5505. Many customers have been asking for that to be changed though so we are hopeful that the near future will bring that feature forward to the new platform.

My advice would be to wait a couple of months if you have not already bought the replacement ASA. If you already have the 5516-X then you do need to add a layer 2 switch.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Marvin Rhoads

‎09-29-2016 11:38 AM

Thank you for your reply. i shall appricaited if you put some more light on this scerario.

Core swtich 6500 has two vlan x and vlan y,  connected to 5505 as inside vlan x and outside vlan y.

basically within inside network we created another inside and outside. now the requirment is we have to transfer 20 TB file (from vlan y to vlan x) from outside 20 tb to inside network. as the network is classfied as inside and outside with aging old 5505 firewall. ofcouse, 5505 can not give us a one gig throughput so we thought to bring in the 5516 in to trasfer the file and keep this new 5516 to replace forever the old firewall 5505.

do you thing there is a better solution than above. There was an other idea to do nat on 6500 but we do not want to go this route. as if some thing goes wrong it will be more wrose.

what other option we have than?

please do not forget to rate.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Sheraz.Salim

‎09-29-2016 12:42 PM

If I understand correctly, both the source and destination subnets are associated with existing VLANs in your core switch.

Is there a policy that prohibits them from communicating directly?

If there is not, why do you need a firewall at all?

If there is, what does the policy require? (or better yet, what policy is enforced by the 5505?)

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Marvin Rhoads

‎09-29-2016 01:04 PM

Marvin, it is a lagacy setup.

-on Core vlan 407 to 5505 inside

vlan 407 is a server vlan, svi can be see from core cli

-where as  core  vlan 680 to 5505 outside

on Core vlan 680 only show in vlan database (with command show vlan) no SVI

no policy on core.

outside subnet need to connect to outside firewall ip address and doing static nat to connecting to inside storage to transfer the data.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card