Skip to main content

Cisco ASA 5506: Configuring the Interfaces to Replace the ASA 5505

By November 9, 2017September 16th, 2020Blog, Cisco, New Product Releases & Upgrades, Security
Cisco ASA 5506 x device

Cisco has positioned the 5506x to replace their long time small office firewall, the 5505.  The issue with the Cisco ASA 5506 is that it has separate ports that cannot be turned to switch ports.  This means you can only setup one interface per network.  This has upset many 5505 administrators; now they need at least two devices, a firewall and a switch, to replace the one firewall.

Getting Around the Problem

I have found one way to allow the use of multiple interfaces to the same network using EtherChannels.  I will make the assumption that most people will want to do this for the inside interface.

Step 1) Clear the current inside interface (no nameif inside).

interface GigabitEthernet1/2

no nameif inside

Step 2) Create a port channel:

interface Port-channel1

lacp max-bundle 8

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

Step 3) Add the interfaces that you want to share in the inside network to the channel group.  Note I had to use mode on; all the other modes would not come up for a workstation connected into the firewall.

interface GigabitEthernet1/2

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/4

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/5

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/6

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/7

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8

channel-group 1 mode on

no nameif

no security-level

no ip address

!

 

Now you can have up to seven (7) interfaces into the same network and still leave one for the outside connection.  I hope this helps anyone trying to use a Cisco ASA 5506x in place of the 5505.

Jason Howe, PEI

3 Comments

Leave a Reply