ASA 5510 - Need more Ethernet Interfaces, any modules?

higherhohigherho Member Posts: 882
Hi all,

So I've recently got a new ASA 5510 in the office (new firewall!!) I'm currently hardening it and configuring it. THe previous SA (before he left for training) purchased this but I realized that it only has 4 Ethernet interfaces when our PIX firewall uses 6! Does Cisco provide a module to increase the amount of interfaces or am I screwed?

Comments

  • SettSett Member Posts: 187
    You can use sub-interfaces. Also you can use the management interface as fully operational FE interface.
    There is SSM-4GE module, which will give you +4 GE interfaces, but maybe you won't need it if you can go with the sub-interfaces.
    Non-native English speaker
  • higherhohigherho Member Posts: 882
    I was not aware of Sub-interfaces. in our current setup we have 6 interfaces getting used for the following;

    Ethernet 0/0 - outside interface
    Ethernet 0/1 - inside interface (laptop domain / main domain)
    Ethernet 0/2 - test domain
    Ethernet 0/3 - another development domain
    Ethernet 0/4 - Loadbalncer within the one test domain to provide web traffic / to go to the internet
    Ethernet 0/5 - VPN

    I understand I can change the the management interface to support another one of these. How would sub interfaces work with this current setup? MAnagement is willing to purchase more stuff! so I'm curious if I should get it just for future upgrades because they are talking about creating another domain here.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    They work the same way as on a router doing router on a stick if you are familiar with that.
    An expert is a man who has made all the mistakes which can be made.
  • higherhohigherho Member Posts: 882
    They work the same way as on a router doing router on a stick if you are familiar with that.

    Ah! I am ! I will try this option then (forgot you could do that, very helpful).

    I love tech refresh times! Submit as much as you can because you wont be able to get it later!
  • SettSett Member Posts: 187
    Well, this SSM-4GE module is quite pricey. It's like 2-3 times more then the 5510 itself :). Not to mention that it's an overkill for the 5510 as its firewall throughput is less then the combined full line speed of the build-in interfaces...
    Non-native English speaker
  • higherhohigherho Member Posts: 882
    Everything is now configured on the new ASA :) Now just requesting some downtime over next weekend to test everything out. Seriously the only pain in the but is hardening the device. Its not difficult by any means it just requires a good deal of time doing it correctly.
  • Danman32Danman32 Member Posts: 1,243
    You can definitely subinterface this. I work for an MSP (Managed Service Provider) where we provide hosting for some of our clients and even some of our own stuff at a datacenter. We really use only two physical interfaces: the outside for the internet, and the inside which is sub-interfaced for all the different VLans for our different clients, our DMZ and our private servers.

    We probably use it too much like a router but then after all, we do have to segregate the individual client traffic.

    For traffic that's similar in nature, you may want to share an interface and sub-interface. Or, share an interface for lower volume traffic.

    ASAs are almost all we use for clients, at least when it is mainline Cisco.
  • higherhohigherho Member Posts: 882
    Danman32 wrote: »
    You can definitely subinterface this. I work for an MSP (Managed Service Provider) where we provide hosting for some of our clients and even some of our own stuff at a datacenter. We really use only two physical interfaces: the outside for the internet, and the inside which is sub-interfaced for all the different VLans for our different clients, our DMZ and our private servers.

    We probably use it too much like a router but then after all, we do have to segregate the individual client traffic.

    For traffic that's similar in nature, you may want to share an interface and sub-interface. Or, share an interface for lower volume traffic.

    ASAs are almost all we use for clients, at least when it is mainline Cisco.

    Very cool! I did like this little project, made me redesign the little backend network we have for the development area. Simple two 48 port 3560G switches and two ASA 5510's (one acting as the VPN appliance). However, I still could not get down time =/ we've been doing both the development migration and production at the same time and they wont let me take down the current firewall because they work on weekends.... I sent in a request a month in advance this time so I'm hopeful to get it in. Even though it should not take long (and working properly) should take only 10 minutes.

    I will say that configuring the NAT rules looks much different on the ASA than the pix (in terms of the how it looks through ASDM). I've tested it in the lab and I'm using OSPF as my routing protocol because I have 5 segregated domains.
Sign In or Register to comment.