CISCO ASA /PIX devices

Posted on 2009-07-08
Last Modified: 2012-05-07

This should be an easy question for firewall experts.

we have a 515e PIX that has 3 Physical interfaces (e0, e1 and e2). I assigned security levels to the interfaces. e0=0 e1=100 e2=10.

We are looking into replacing it with an ASA device.

(1) Which models would provide me with at least those 3 physical interfaces to configure those security zones?. . I get a little confused with some ASA models that come with switch ports integrated.

(2) You might also provide me with some basic "education"  about the physical and virtual interfaces on those devices.

Question by:JohnRamz
  • 5
  • 4
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24805213
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24805253
The ASA and PIX ports configurable to subinterfaces, this means:
You able to make dot1q trunk to the switch, but is less secure than you separate it physycally

Author Comment

ID: 24805767
So it  looks like 5510 and 5520 would provide me at least the same physical interfaces. Right?

Author Comment

ID: 24805916
Would the 5505 also provide me with at least 3 physical interfaces? I do not care much about the extra security features. I just need at least to be able to configure the 3 Security Zones.

LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24805948
yes, but if you want gigabitethernet buy 5520, if you want 5 fastethernet on 5510 buy ASA 5510 Firewall Edition Bundle
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 24806004
What about 5505?

Author Comment

ID: 24810521
Anybody else out there that could tell me if the 5505 model would work to configure at least 3 physical interfaces with different security levels? Thanks
LVL 34

Accepted Solution

Istvan Kalmar earned 500 total points
ID: 24810809

If you buy 5505, you able to configure 3 security level, becouse it has restricted licence, it means the third zone only one direction can be make traffic!!!!

If you want all zone traffic you must buy ASA5505-SEC-BUN-K9

Cisco ASA 5505 Firewall Edition Unlimited-user Security Plus, 8-port Fast Ethernet switch, 25 IPsec VPN and 2 SSL VPN peers, DMZ, stateless Active/Standby
high availability, 3DES/AES

Expert Comment

ID: 24810852
Yes the ASA 5505 will work.  I would suggest buying the security plus add-on.

Here is some info from Cisco.

The Cisco ASA 5505 features a flexible 8-port 10/100 Fast Ethernet switch, whose ports can be dynamically grouped to create up to three separate VLANs for home, business, and Internet traffic for improved network segmentation and security.  

You could seperate the VLANs to be DMZ, LAN and Internet.

Continuing on:

As business needs grow, customers can install a Security Plus upgrade license, enabling the Cisco ASA 5505 to scale to support a higher connection capacity and up to 25 IPsec VPN users, add full DMZ support, and integrate into switched network environments through VLAN trunking support.

This just means you can actually extend the DMZ into you LAN by using Vlanning.  This will depend how your DMZ setup is at the moment and how many devices are connected?  Seperate switch, single device?

Basically with Vlanning you can have multiple virtual networks over a singal physical network.  

I hope this helps.

Author Closing Comment

ID: 31601167
Thanks for your help

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OSPF metric and destination 2 37
using BGP Attributes 2 36
The purpose of using BGP 33 75
inserting an ACL line Cisco IOS XR Software, Version 5.3.3 2 20
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now