PIX to ASA 9.1

I am about to deploy a new ASA into a network. We will be replacing a rather old PIX as a result.

We will be leaving the PIX in place for a time period as a precautionary backup.  If the ASA doesn't work (It will be configured the almost the same as the PIX), can I plug the PIX back into the network as an added measure of precaution?

i'm worried that the switches will see the PIX's IP address however the MAC address will be different.  Will this matter?
beckredderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DarinTCHSenior CyberSecurity EngineerCommented:
not the best scenario
like a car with 2 steering wheels

there are a few vendors boxes designed to work in harmony with another device like the paloAlto firewalls which
work in a VWire mode - kinda inline if you will
they use this for POC - Proof of concept and then a staged migration

but PIX and ASA i wouldn't
besides you PIX is rather old - ASA has been out for a long while - and should accomplish everything
the PIX does and much more

now that doesn't mean it worthless - maybe could be used in other scenario / location
but running both in a pseudo concurrent situation is asking for extra trouble
0
beckredderAuthor Commented:
Thanks very much for the feedback.
0
beckredderAuthor Commented:
Darin, another question in regards to this scenario.

We need to setup 4 vlans in the network, is it advisable to do this at the router or will I have to do it at each switch.

regards,
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

beckredderAuthor Commented:
or both switch and router...
0
DarinTCHSenior CyberSecurity EngineerCommented:
depends on which layer u want to communicate layer 2 or layer 3
L2 would be MAC addresses and @ switch
most folks are more comfortable with IP addresses
so L3 is IP @ router

still need to tuen vlan tagging on @ switch if you plan on having all 4 vlans in each switch
802.1q tagging ....will assist with traffic processing throughout the vlans
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
beckredderAuthor Commented:
Darin, I will be attaching two Cisco 3850s to the ASA 5545 Firewall device.  I would like to add some measure of failover for the 3850's.  Should this stack be redundant? Or should the ports (24*2) be shared?

If I do connect the switch to the two redundant links (1 to each), can we be assured that there are no loops?
0
beckredderAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.