Cisco Cisco Catalyst 6500 Series 7600 Series ASA Services Module Installation Guide

The ASASM does not include any external physical interfaces. Instead, it uses VLAN interfaces passed down from the supervisor. 
Perform the following steps at the switch CLI to pass down VLANs from the supervisor.

Assign up to 16 firewall VLAN groups to each ASASM. (You can create more than 16 VLAN groups in Cisco IOS software, 
but only 16 can be assigned per ASASM.) For example, you can assign all the VLANs to one group; or you can create an 
inside group and an outside group; or you can create a group for each customer.

There is no limit on the number of VLANs per group, but the ASASM can only use VLANs up to the ASASM system limit 
(see the ASASM licensing documentation for more information).

You cannot assign the same VLAN to multiple firewall groups.

You can assign a single firewall group to multiple ASASMs. VLANs that you want to assign to multiple ASASMs, for 
example, can reside in a separate group from VLANs that are unique to each ASASM.

See also 

At the switch CLI, assign VLANs to a firewall group:

 

Example:

Router(config)# firewall vlan-group 50 55-57

Router(config)# firewall vlan-group 51 58-63

Router(config)# firewall vlan-group 52 64,66-74

Assign the firewall groups to the ASASM:

[switch {1 |2}] module module_number vlan-group firewall_group_num

Example:

Router(config)# firewall module 5 vlan-group 50,52

Router(config)# firewall module 8 vlan-group 51,52

For a switch in a VSS, enter the switch argument.

The following example shows how to configure private VLANs on the switch by assigning the primary VLAN to the ASASM:

At the switch CLI, add the primary VLAN 200 to a firewall VLAN group, and assign the group to the ASASM:

Designate VLAN 200 as the primary VLAN:

Designate only one secondary isolated VLAN. Designate one or more secondary community VLANs.