Creating a DMZ on ASA

Unanswered Question
Aug 1st, 2008
User Badges:

We have an existing an ASA that we want to configure a DMZ. A secure FTP server with public IP will be connected to the DMZ.

Is the configuration as simple as,

1. Configure the new interface with security level,

2. enable routing statement,

3. enable access list to allow traffic to the FTP server.

Employees on the LAN and others would access the FTP through the Internet. NAT is presently done by the outside int. of ASA.

Would configuring the DMZ effect production/network connectivity?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Fri, 08/01/2008 - 14:01
User Badges:
  • Green, 3000 points or more


I do not see a reason of network interuption by configuring new interface for your DMZ network, however, it is of good practice to making major FW changes during non-production hours.

You may want to reference these two links which resambles your scenarion and requirements.

FTP - ASA firewalls

DMZ config scenarion



JORGE RODRIGUEZ Sat, 08/02/2008 - 06:29
User Badges:
  • Green, 3000 points or more

Said, you are welcome.

I also want to provide additional information regarding the creation of another interface. I should have added in previous post, that, in the scenario where you have a physical and wanted to split the interface using 802.1q into several logical interfaces say one logical be your new DMZ network,and that interface is for example your inside interface or any other interface in production, you may have network disruption during the creation of trunking and other required initial configuration.

Now,if you have free physical interface not bound to any configuration other than be dedicated for DMZ network there should not be network disruption in relation to other active interfaces.




This Discussion