Solved: ASA to Router interfaces

Emil Naklicki · ‎08-03-2018

I have a simple network configuration ISP==>Router==>ASA==>L3 Core. I am trying to add another link from my router to my ASA for DMZ and a secondary ISP. I do not want to add physical links as I would have to purchase another NIM for my router. In order to simply uses the current physical topology, do I simply create sub interfaces between my router and ASA? Example

Router Gi0/0.10 ==ASA Gi1/1.10 vlan 10

Router Gi0/0.20 ==ASA Gi1/1.10 vlan 20

Router Gi0/0.30 ==ASA Gi1/1.10 vlan 30

Is there any downsides and/or security concerns to using sub-interfaces for this kind of topology. Also, is there any better way of handling this kind of topology without the need for additional physical ports?

Daniele Giordano · ‎08-03-2018

For sure, vlan and subinterface is a good and flexible solution.

If your asa supports context, you can consider to use a virtual context for the new link. In this way you can have a virtual dedicated firewall.
About security, you can use ACL on your subinterface.

Regards.

View solution in original post

Daniele Giordano · ‎08-03-2018

For sure, vlan and subinterface is a good and flexible solution.

If your asa supports context, you can consider to use a virtual context for the new link. In this way you can have a virtual dedicated firewall.
About security, you can use ACL on your subinterface.

Regards.

Emil Naklicki · ‎08-03-2018

Thanks for the quick reply. Context would be over kill for what I'm trying to do. I think the sub-interface route is the way I'll go.