Designing Cisco ASA 5510

Unanswered Question
Apr 7th, 2008
User Badges:

Hi,


I'm responsable for an permiter design with one of my customers.

The situation i designed it is included in the attachement.


The question i have is. I have 4 interfaces on an asa 5510, First line of defense and we need 2 dmz zones. I can use 1 interface for provider connection. 1 interface with the perimeter netwerk. Can i use 1 interface for a redundant perimeter connection and 1 for a redundant provider connection. Or are the 2 interfaces left necessary for the dmz connections?



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Collin Clark Mon, 04/07/2008 - 09:13
User Badges:
  • Purple, 4500 points or more

It is possible, but a little messy and it would be a pain to troubleshoot. Each server in the DMZ would need multiple NIC's and static routes.


Can you do it this way? 3 Interfaces (OUTSIDE, DMZ, INSIDE). OUTSIDE to DMZ would traverse the FW and traffic from DMZ to INSIDE would also traverse a FW, but it would be the same FW as OUTSIDE to DMZ. Is that OK? If not you'll need a second set of FWs.


HTH

jorg.ramakers Mon, 04/07/2008 - 22:59
User Badges:

Hi,


Is it possible to create subinterfaces (different Vlans)

As the DMZ is in the perimeter network, and it is between the Flod and Slod?


Best regards


Jorg

Collin Clark Tue, 04/08/2008 - 05:55
User Badges:
  • Purple, 4500 points or more

Yes you can create sub-interfaces. Not sure what you mean by Flod and Slod.

jorg.ramakers Tue, 04/08/2008 - 06:33
User Badges:

Hi sorry,


flod = first line of defense

slod = second line of defense

Collin Clark Tue, 04/08/2008 - 06:39
User Badges:
  • Purple, 4500 points or more

I originally thought of sub-interfaces and it will work, but I would suggest against it. It will b hard to document/troubleshoot. What are the requirements? Traffic must flow across different interfaces?

jorg.ramakers Tue, 04/08/2008 - 06:46
User Badges:

Hi,


I need to configure 2 different dmz zones. And both of the dmz should not communicate with each other. i only heve 4 interface 2 for redundant isp and 2 for redundant connection to the dmz switches.


Best regards


Jorg

Collin Clark Tue, 04/08/2008 - 07:03
User Badges:
  • Purple, 4500 points or more

So would my suggestion in my second post work?

jorg.ramakers Tue, 04/08/2008 - 23:29
User Badges:

Yes, It can work, i was hoping someone else would have another idea as you are suggesting against subinterfaces


But will rate your post.


Regards


Jorg

Actions

This Discussion