11-04-2007 12:36 AM - edited 03-09-2019 07:12 PM
Hi,
Need advice on the following scenario...
We have ASA 5510 and need to have 6DMZ.
With limited ports how its possible.
We dont want DMZ to communicate with other DMZ
Is Sub-Interface only Solution??
11-04-2007 06:12 AM
I would say sub-Interface is the option you should use.
How many actual interfaces do you have?
11-04-2007 08:46 AM
As previous poster indicated, create sub interfaces. Your 5510 has 5 10/100 pysical ports one out of those is a MGT port, technically you have 4 FE ports. With base license this model can support up to 50 virtual interfaces , with security plus up to 100 virtual interfaces. With just one fE port you could have your 6 DMZ networks by creating logical sub-interfaces off one FE port and assign each with unique VLANID and security levels. Look into bellow links 802.1q on ASA and trunk the ASA fe port to switch to pass all the DMZ vlans to switch, create the 6 DMZ vlans on the switch .
ASA 5500 Virtual interfaces
http://www.cisco.com/en/US/docs/security/asa/asa70/release/notes/asa_rn.html#wp208880
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intrface.html
5510 Model specs VLANs support
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
rate any helpful posts
HTH
Jorge
11-04-2007 08:43 PM
Thanks for the Great information.
i will have
FE0/0 connected to outside
FE0/1 connected to inside
FE0/2 connected to Layer2 switch
I will create VLAN on firewall
VLAN 1, VLAN 2, VLAN 3 , VLAN 4 , VLAN 5 , VLAN6.
now I need to create subinterfaces on port FE 0/2.
Q1> What is the command / config required on FE0/2 for sub-interface..
Q2> I dont want each VLAN to communicate with each other.. so what is reqd?
q3> what config is required so that inside and outside can communicate with these DMZ
11-05-2007 02:43 PM
Follow these , lets do this together as I have to upgrade our 515Es next year with ASA5510 as well .
As soon as you configure subinterface 802.1q vlan trunking is automatically enabled with no other commands required.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.pdf
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1049732
make sure you have already created the vlans on the switch and a alocated port for the trunk connection with ASA FE0/2 port.
e.g.
switch(config)#int fe0/24 "switchport mode trunk " or encasulation dot1.q
e.g using vlans 2, repeat for 3,4,5,6,7
place question mark for sub interface#
asa(config)#interface ethernet0/2.?
or
asa(config)#interface ethernet0/2.2
asa(config-subif)#vlan 2
asa(config-subif)#nameif DMZ2
asa(config-subif)#Ip address 2.2.2.1 255.255.255.0
asa(config-subif)#security-level XX
let me knoe how it goes.
Rgds
Jorge
11-05-2007 10:19 PM
assuming the attached diagram ; where the VLANS would be created.. ( L2-2960 switch or 4500 switch )
how would I ensure that Two VLANS doesnt communicate with each other..
Using Sub-Interfaces will there be any performance issues....
What config is required if I want Two VLANS to communicate with each other.....
11-06-2007 04:00 AM
Amind, in your original post your requirements are to create 6 DMZ networks, if I understand correctly you have a DMZ switch based in your diagram topology and one inside 4500 switch. The DMZ is usually where you would want to create your DMZ networks for your external vendor connections which will required access control lists permisions to communicate with inside network, if this is not correct please indicate otherwise.
By creating subinterfaces and indicating security levels in each will determin comminication by way of access-list between them.
refer to enabling/disabling comminications
between interfaces, sub-interfaces are consider interfaces.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html
I have not read of performance issues when using subinterfaces and 802.1q.
11-07-2007 02:27 AM
Thanks for the great Link.
If Possible can you send me the sample configuraiton of sub-interface scenario.
11-07-2007 03:58 AM
This could be an example for four DMZ subnets on ASA
interface Ethernet0/2
description physical port 802.1Q TRUNK to SWITCH
no nameif
no security-level
no ip address
no shutdown
interface Ethernet0/2.2
vlan 102
nameif DMZ2
security-level 50
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/2.3
vlan 103
nameif DMZ3
security-level 49
ip address 3.3.3.1 255.255.255.0
interface Ethernet0/2.4
vlan 104
nameif DMZ4
security-level 48
ip address 4.4.4.1 255.255.255.0
interface Ethernet0/2.5
vlan 105
nameif DMZ5
security-level 47
ip address 5.5.5.1 255.255.255.0
etc..
////////////////////////////
General info on VLANs and trunking configuration
This could be example for switch config, create VLANS and allocate a port for 802.1q trunk.
on the switch config something like this:
vlan database
vtp domain DMZ
vtp mode transparent
vlan 102 name DMZ2_2.2.2.0_subnet
vlan 103 name DMZ2_3.3.3.0_subnet
vlan 104 name DMZ2_4.4.4.0_subnet
vlan 105 name DMZ2_5.5.5.0_subnet
etc..
allocate one port on switch to conect ASA FE0/2 interface and create trunk
e.g
interface fastethernet0/24
Description Connection to ASA5510_FE0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
no shutdown
interface fastethernet0/1
Description DMZ2_VENDOR_A_SERVER_A
switchport access Vlan 102
speed 100
duplex full
no ip address
no shutdown
interface fastethernet0/1
Description DMZ3_VENDOR_B_SERVER_A
switchport access Vlan 103
speed 100
duplex full
no ip address
no shutdown
interface fastethernet0/1
Description DMZ4_VENDOR_C_SERVER_A
switchport access Vlan 104
speed 100
duplex full
no ip address
no shutdown
interface fastethernet0/1
Description DMZ5_VENDOR_D_SERVER_A
switchport access Vlan 105
speed 100
duplex full
no ip address
no shutdown
Rate any helpful post
HTH
Jorge
11-08-2007 04:02 AM
Thanks.
If I want VLAN 104 to communicate with VLAN 105 then the only requriment is to make both security level same.
I would make an access-list for inside ; access-list for Outside ;;; But how could the access-list applied for each DMZ ( I need to have multiple access-list or single access-list ) .....
Is There a tool (Simulator) to test the configuration without testing on ASA box.
11-08-2007 04:29 PM
Amind, when VLAN104 and VLAN 105 are assign same security level in their interfaces begining in code 7.2x you may apply "same-security-traffic permit inter-interface"only if you do not want to apply access list between the two same security interfaces and they can communicate without any access lists. In other words if VLAN 104 and VLAN 105 have security of 50 without using "same-security-traffic permit inter-interface " in global configutation mode you are then instructing firewall to have access-list configured for communicatying between VLAN105 and VLAN 105 subnets.
This comes from the latest ciscopress ASA Security firewalling instructions .
ON you question
" I would make an access-list for inside ; access-list for Outside ;;; But how could the access-list applied for each DMZ ( I need to have multiple access-list or single access-list ) ..... "
Create access list from DMZ to outside follow the same principle in creating inbound or outbound access lists and apply then to interface either DMZ1, DMZ 2, or outside ..
I would recommen you get from Ciscopress ASA/PIX/FWSM handbook second edition which will help you understand clearly .. visit
I am not aware of good firewall simulators wher you can simulate what you need, I have seen PIX software simulators but they are introductory simulators.
If you have your firewall in production I assume you have not yet worked with your DMZ subnets if so you can start working with creating the subnets and testing by using perhaps two laptops to test comunications between different DMZ subnets.. I will be more than happy to work with you on this.
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide