i see your point. So what is the best way to set up a DMZ? Configure an INSIDE, OUTSIDE, and DMZ seperate physical interfaces? Or use subinterfaces on the INTERNAL interface?

Whether to use 3 physical or to trunk depends on thoughput, number of interfaces, licensing, etc. When I have multiple DMZ's, I'll trunk all of the DMZ VLANs. If I have multiple insides, same thing. I prefer not to trunk inside and DMZ VLAN's on a single trunk.

That makes sense keeping them seperate. i guess my problem has been i couldn't figure out how to create the actual DMZ vlans. i have a 4 gig ports and two of them are active interfaces for INSIDE and OUTSIDE. If i was to create a third physical interface, for DMZ, would I create subinterfaces for the individual DMZ vlans? I have a vlan on my layer 3 switch that is just for the connection between my ASA and the layer 3 switch. The layer 3 switch does my intervlan routing.

Create a VLAN for each DMZ. The VLAN on your L3 switch should NOT have an SVI! Here's an example of the ASA with a trunked interface. Your switch would be configured as a normal 802.1Q trunk.

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Ethernet0/3.999

nameif dmz

security-level 50

ip address 172.16.100.1 255.255.255.0

!

interface Ethernet0/3.998

nameif dmz192

security-level 50

ip address 192.168.100.1 255.255.255.0

!

Well i have two 4506s running GLBP and EIGRP, which i have a SVI on them just for the connection to the dual ASAs. So the ASA only has INSIDE on one physical interface. I don't understand why i'm not supposed to have an SVI on my 4506. Do you mean just the DMZ or both DMZ and INSIDE. Thanks for all of your help. I guess i'm just trying to understand the concept more than anything.

Just the DMZ. Sorry if I didn't make that clear. If you have an SVI on the switch, there's a hook into your internal network without going through ASA.

Thanks Collin, i believe i'll try this next maintenance window. But here is a twist. What if the servers are on a bladeserver running VM ware? Any experience with a DMZ host on a VM? Right now we just have that Public Server option. prior to the 8.2 release we just used static nat with acls.

I use 3 phisicals trunks dot1q.

1) Publics subinterfaces

2) SemiPublics subinterfaces

3) Local subinterfaces

But, if the hacked server found the way to pass traffic to other VLANs, you are lost. The best way to avoid this is to NOT permit admin connections to your switchs or firewalls from servers on the DMZ.

This show the config for a direct connected outside on Gi0/0 and a trunk for 3 inside VLANs on Gi1/1.

The ASA route the packets between its interfaces.

If you dont want to inspect traffic from servers to hosts, don't creat that interfaces in the ASA, just keep you L3-ASA VLAN to provide DMZ and ouside access to your hosts

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

!

interface GigabitEthernet0/1

description Solo trunk

nameif deshab

security-level 0

no ip address

!

interface GigabitEthernet0/1.12

description ServidoresAdm

vlan 12

nameif srvadm

security-level 50

ip address 10.1.2.1 255.255.255.128

!

interface GigabitEthernet0/1.20

vlan 20

nameif inside

security-level 100

ip address 10.1.4.1 255.255.252.0

!

interface GigabitEthernet0/1.30

vlan 30

nameif segurtec

security-level 20

ip address 10.1.30.1 255.255.255.0

!

Guido.

Please rate if that was usefull to you