Cisco ASA Series Cli Configuration Manual page 87

Chapter 1 Introduction to the Cisco ASA
The switch includes a switching processor (the supervisor) and a router (the MSFC). Although you need
the MSFC as part of your system, you do not have to use it. If you choose to do so, you can assign one
or more VLAN interfaces to the MSFC. You can alternatively use external routers instead of the MSFC.
In single context mode, you can place the router in front of the firewall or behind the firewall (see
Figure
The location of the router depends entirely on the VLANs that you assign to it. For example, the router
is behind the firewall in the example shown on the left side of
VLAN 201 to the inside interface of the ASASM. The router is in front of the firewall in the example
shown on the right side of
ASASM.
In the left-hand example, the MSFC or router routes between VLANs 201, 301, 302, and 303, and no
inside traffic goes through the ASASM unless it is destined for the Internet. In the right-hand example,
the ASASM processes and protects all traffic between the inside VLANs 201, 202, and 203.
Figure 1-1
MSFC/Router Behind the ASASM
Inside
1-1).
Figure 1-1
MSFC/Router Placement
Internet
Router
VLAN 200
ASASM
VLAN 201
MSFC/Router
VLAN 301 VLAN 303
VLAN 302
DMZ
How the ASA Services Module Works with the Switch
because you assigned VLAN 200 to the outside interface of the
MSFC/Router In Front of the ASASM
VLAN 201
HR
Inside
Cisco ASA Series CLI Configuration Guide
Figure 1-1 because you assigned
Internet
VLAN 100
MSFC/Router
VLAN 200
ASASM
VLAN 203
HR
VLAN 202
DMZ
1-25