My manager told me that we can have up to 16 DMZs on our ASA 5540 and he would like to have a 2nd DMZ configured. what does that mean by 16 DMZ's? Also, how do I configure the management interface for a 2nd DMZ? Many thanks in advance.
If you look at asa5540 specifications it can support up to 200 VLANS, these could be 200 DMZs how this is done it all depends how you want to spread your DMZs with respect to the integrated Ethernet ports, management interface is for management, many folks out there have used ASA management interface
as a routed interface, if you would want to create a DMZ off the management interface it is also possible but will need to be configure it as a 802.1q trunk port to split the interface into two logical inetrfaces.
For the 16 DMZs You will also have to use trunking and allocate a FE or fiber port on the ASA for trunking to switch.
Lets asume for sake of example you want to configure four out of the 16 DMZ and that you have already allocated a switch for your DMZ/subnets where your DMZ hosts will be connected.
You will need to create 16 vlans and corresponding switchport vlan#s on switch.
To summarize here are some steps on how it could be done only using 1 GigabitEthernet port off the ASA5540 firewall for all teh DMZs, you could either use copper port or fire port as the 5540 does have spf capabilities.
1-Create your 16 vlans in an alocated DMZ switch
2-Allocate an RJ-45 gigabit CAPABALE Ethernet port or spf on switch to configure it with 802.1q trunking to an allocated gigabitethernet port on ASA
3-Create subinterfaces in ASA - define IP scheme for each OF THE 16 SUBINTERFACES
4-Define security level requirements for each of the subinterfaces. you could use same security level on each subinterfaces
and if you do not want comminication between them but use ACLs to allow communication between subinterfaces you can use "no same-security-traffic permit inter-interface" command.
5- for internet access you could use your outside interface to PAT inside nets for outbound internet connections for your
Assume you have 4 networks 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 for four DMZs
interface gigabitethernet 1/port
media-type sfp --> or use media-type rj45 if using fw copper port
no ip address
ip address 18.104.22.168 255.255.255.0
ip address 22.214.171.124 255.255.255.0
ip address 126.96.36.199 255.255.255.0
ip address 188.8.131.52 255.255.255.0
global (outside) 1 interface
nat(DMZ2) 1 184.108.40.206 255.255.255.0
nat(DMZ3) 1 220.127.116.11 255.255.255.0
nat(DMZ4) 1 18.104.22.168 255.255.255.0
nat(DMZ5) 1 22.214.171.124 255.255.255.0
vtp domain test_lab
vtp password cisco
vlan 2 name DMZ2_126.96.36.199/24
vlan 3 name DMZ3_188.8.131.52/24
vlan 4 name DMZ4_184.108.40.206/24
vlan 5 name DMZ5_220.127.116.11/25
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3,4,5
switchport acces vlan 2
switchport access vlan 3
refer to this link on how to using subinterfaces.
refer to this link for asa5540 specifications
if you have any other questions please let us know.
Rate any posts that is helpfull to you