09-06-2008 05:11 AM - edited 03-03-2019 11:26 PM
Hi,
I have a ASA 5520 and a spare 3750 switch. Is it possible to create a DMZ/VLAN on the ASA using the 3750?
09-06-2008 06:14 AM
if u have free port interface on ur asa u can make a vlan on the switch and because it is L3 switch u can either creat SVI or routed interface on the switch belong to that vlan subnet and connected to the ASA port and configure it as DMZ
if u dont have enough port u can do the same thing on the switch creat VLANs and make the port to the ASA as trunk and on the ASA cear subinterfaces and each subinterface can be treated as separte interface with all configs like security level IPs but keep in mind the ASA u se do1q trunking so make the switch trunk as dot1q
in both solusions dont make routing in the switch instead make the communications between VLANs thorugh the ASA to achieve ur requirement as a saparte DMZ
good luck
if helpful Rate
09-06-2008 06:21 AM
It really doesn't matter on which switch you do it, i would rather suggest you create sub-interfaces on the inside interface of ASA 5520, and assign differnt vlans to each sub-interface. However, do keep in mind that sub-interfaces in ASA are bit tricky than the sub-interfaces in routers. Keep an eye on term "L2 decode error" in sh interface..It is just like Vlan mismatch sort of error, to give you hint to check your vlan settings and connections.
Here is the link to configure virtual interface on ASA.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html
plz rate helpful posts.
regards,
Mohsin
09-06-2008 07:28 AM
Mohsin the subinterface not the only option as i mention above in my post u can do it thorugh saparte physical interface or through subinterface
however if he has a free port on the ASA it is better to make through a saparte interface rather than subinterface
but both work
thank you
09-06-2008 07:35 AM
I'm just wondering if I have to create more DMZ/VLAN's then subinterfaces is the best option as the ASA only has one spare port free.
09-06-2008 08:52 AM
hi there
could please,just tell me in more details what u look to achieve to let me help u more precisly?
thank you
09-06-2008 09:23 AM
No problem, I have a Cisco ASA 5520 and I want to create some VLAN's for webservers and maybe some other VLAN's in the future for other projects. I would like them to be firewalled throught the ASA. I have a spare 3750, and it seems the best approach as I only have 1 spare gigabit port left (inside, outside, failover, spare).
Is is a good approach to trunk off the 5520 into the 3750 and create subinterfaces?
09-07-2008 03:46 AM
ya sure
make subinterfaces on the spare and it will already trunk it with do1q on the switch side amke dot1q trunk and creat vlans on the 3750 switch but dont not make any routing between throse vlans on the switch as u want the commnunication between them to be firewalled through the ASA
only what u need is to give each sub interface security level and ip address and vlan number corsponding to tthe vlan on the switch
on the hosts make the default gateway the subinterface of the ASA in the corsponding vlan
and then u can make ACLs and whatever u want to control the communication between ASA interfaces subinterfaces and non-subinterfaces
good luck
if helpful Rate
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: