cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
340
Views
0
Helpful
2
Replies

16 DMZs on ASA-5540?

nguyenvinnie
Level 1
Level 1

My manager told me that we can have up to 16 DMZs on our ASA 5540 and he would like to have a 2nd DMZ configured. what does that mean by 16 DMZ's? Also, how do I configure the management interface for a 2nd DMZ? Many thanks in advance.

1 Accepted Solution

Accepted Solutions

JORGE RODRIGUEZ
Level 10
Level 10

Vinnie,

If you look at asa5540 specifications it can support up to 200 VLANS, these could be 200 DMZs how this is done it all depends how you want to spread your DMZs with respect to the integrated Ethernet ports, management interface is for management, many folks out there have used ASA management interface

as a routed interface, if you would want to create a DMZ off the management interface it is also possible but will need to be configure it as a 802.1q trunk port to split the interface into two logical inetrfaces.

For the 16 DMZs You will also have to use trunking and allocate a FE or fiber port on the ASA for trunking to switch.

Lets asume for sake of example you want to configure four out of the 16 DMZ and that you have already allocated a switch for your DMZ/subnets where your DMZ hosts will be connected.

You will need to create 16 vlans and corresponding switchport vlan#s on switch.

To summarize here are some steps on how it could be done only using 1 GigabitEthernet port off the ASA5540 firewall for all teh DMZs, you could either use copper port or fire port as the 5540 does have spf capabilities.

steps

1-Create your 16 vlans in an alocated DMZ switch

2-Allocate an RJ-45 gigabit CAPABALE Ethernet port or spf on switch to configure it with 802.1q trunking to an allocated gigabitethernet port on ASA

3-Create subinterfaces in ASA - define IP scheme for each OF THE 16 SUBINTERFACES

4-Define security level requirements for each of the subinterfaces. you could use same security level on each subinterfaces

and if you do not want comminication between them but use ACLs to allow communication between subinterfaces you can use "no same-security-traffic permit inter-interface" command.

5- for internet access you could use your outside interface to PAT inside nets for outbound internet connections for your

DMZ hosts.

Example.

Assume you have 4 networks 2.2.2.0, 3.3.3.0, 4.4.4.0, 5.5.5.0 for four DMZs

ASA5540

interface gigabitethernet 1/port

media-type sfp --> or use media-type rj45 if using fw copper port

speed nonegotiate

nameif LAN

security-level 50

no ip address

interface gigabitethernet0/1.2

interface Ethernet0/2.2

vlan 2

nameif DMZ2

security-level 50

ip address 2.2.2.1 255.255.255.0

interface gigabitethernet0/1.3

vlan 3

nameif DMZ3

security-level 50

ip address 3.3.3.1 255.255.255.0

interface gigabitethernet0/1.4

vlan 4

nameif DMZ4

security-level 50

ip address 4.4.4.1 255.255.255.0

interface gigabitethernet0/1.4

vlan 5

nameif DMZ5

security-level 50

ip address 5.5.5.1 255.255.255.0

global (outside) 1 interface

nat(DMZ2) 1 2.2.2.0 255.255.255.0

nat(DMZ3) 1 3.3.3.0 255.255.255.0

nat(DMZ4) 1 4.4.4.0 255.255.255.0

nat(DMZ5) 1 5.5.5.0 255.255.255.0

Switch:

vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name DMZ2_2.2.2.0/24

vlan 3 name DMZ3_3.3.3.0/24

vlan 4 name DMZ4_4.4.4.0/24

vlan 5 name DMZ5_5.5.5.0/25

etc....

Interface gigabitethernet0/48

Description trunk_Connection_ASA_Ethernet03

speed auto

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3,4,5

interface fastethernet0/1

Description DMZ2_VerdorA_ip_2.2.2.20

speed 100

duplex full

switchport acces vlan 2

no shut

interface fastethernet0/2

Description DMZ3_Verdorb_ip_3.3.3.40

speed 100

duplex full

switchport access vlan 3

no shut

etc...

refer to this link on how to using subinterfaces.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html

refer to this link for asa5540 specifications

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

if you have any other questions please let us know.

Rgds

Jorge

Rate any posts that is helpfull to you

Jorge Rodriguez

View solution in original post

2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

Vinnie,

If you look at asa5540 specifications it can support up to 200 VLANS, these could be 200 DMZs how this is done it all depends how you want to spread your DMZs with respect to the integrated Ethernet ports, management interface is for management, many folks out there have used ASA management interface

as a routed interface, if you would want to create a DMZ off the management interface it is also possible but will need to be configure it as a 802.1q trunk port to split the interface into two logical inetrfaces.

For the 16 DMZs You will also have to use trunking and allocate a FE or fiber port on the ASA for trunking to switch.

Lets asume for sake of example you want to configure four out of the 16 DMZ and that you have already allocated a switch for your DMZ/subnets where your DMZ hosts will be connected.

You will need to create 16 vlans and corresponding switchport vlan#s on switch.

To summarize here are some steps on how it could be done only using 1 GigabitEthernet port off the ASA5540 firewall for all teh DMZs, you could either use copper port or fire port as the 5540 does have spf capabilities.

steps

1-Create your 16 vlans in an alocated DMZ switch

2-Allocate an RJ-45 gigabit CAPABALE Ethernet port or spf on switch to configure it with 802.1q trunking to an allocated gigabitethernet port on ASA

3-Create subinterfaces in ASA - define IP scheme for each OF THE 16 SUBINTERFACES

4-Define security level requirements for each of the subinterfaces. you could use same security level on each subinterfaces

and if you do not want comminication between them but use ACLs to allow communication between subinterfaces you can use "no same-security-traffic permit inter-interface" command.

5- for internet access you could use your outside interface to PAT inside nets for outbound internet connections for your

DMZ hosts.

Example.

Assume you have 4 networks 2.2.2.0, 3.3.3.0, 4.4.4.0, 5.5.5.0 for four DMZs

ASA5540

interface gigabitethernet 1/port

media-type sfp --> or use media-type rj45 if using fw copper port

speed nonegotiate

nameif LAN

security-level 50

no ip address

interface gigabitethernet0/1.2

interface Ethernet0/2.2

vlan 2

nameif DMZ2

security-level 50

ip address 2.2.2.1 255.255.255.0

interface gigabitethernet0/1.3

vlan 3

nameif DMZ3

security-level 50

ip address 3.3.3.1 255.255.255.0

interface gigabitethernet0/1.4

vlan 4

nameif DMZ4

security-level 50

ip address 4.4.4.1 255.255.255.0

interface gigabitethernet0/1.4

vlan 5

nameif DMZ5

security-level 50

ip address 5.5.5.1 255.255.255.0

global (outside) 1 interface

nat(DMZ2) 1 2.2.2.0 255.255.255.0

nat(DMZ3) 1 3.3.3.0 255.255.255.0

nat(DMZ4) 1 4.4.4.0 255.255.255.0

nat(DMZ5) 1 5.5.5.0 255.255.255.0

Switch:

vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name DMZ2_2.2.2.0/24

vlan 3 name DMZ3_3.3.3.0/24

vlan 4 name DMZ4_4.4.4.0/24

vlan 5 name DMZ5_5.5.5.0/25

etc....

Interface gigabitethernet0/48

Description trunk_Connection_ASA_Ethernet03

speed auto

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 2,3,4,5

interface fastethernet0/1

Description DMZ2_VerdorA_ip_2.2.2.20

speed 100

duplex full

switchport acces vlan 2

no shut

interface fastethernet0/2

Description DMZ3_Verdorb_ip_3.3.3.40

speed 100

duplex full

switchport access vlan 3

no shut

etc...

refer to this link on how to using subinterfaces.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html

refer to this link for asa5540 specifications

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

if you have any other questions please let us know.

Rgds

Jorge

Rate any posts that is helpfull to you

Jorge Rodriguez

Very complete and useful info.

Thanks Jorge

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: