Same-security-traffic permit inter-interface Unless you have a very simple network that can get very complicated, very quickly! Also note, the same holds true for remote management via SSH/ADSM etc.
Oh Great! So Just Like an ASA5505 Then? Well no sorry, I don’t like it because it needs an access-group/ACL for each bridged interface, and a NAT statement for each bridged interface. So on the ASA 5506-X with a default configuration, it ‘Bridges’ interfaces Ge0/2 to Ge0/8, into one interface which you can call the inside interface an give it an IP address. Well not strictly true, Cisco ASA has had BVI interfaces in ‘ transparent mode‘ for some time. To ‘fix’ the problem would probably mean changing hardware, so Cisco gave us a BVI, Bridge Virtual Interface instead (with version 9.7). Because it’s easier to sell a firewall that cost less than 500 quid, than it is to sell a firewall that fits the network requirements! The problem was, people started throwing them in everywhere, I’ve seen them in large businesses, and in data centres.
While I understand that, and if truth be told the ASA 5505, was SUPPOSED to be used in SOHO environments where an all in one device, (with PoE) was a great fit. When the ASA 5506-X appeared there was much grumbling, “This is not a replacement for the ASA 5505, I need to buy a switch as well!” and “I have six ports on the firewall I cant use” etc.
0 kommentar(er)
