Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
2
Replies

ASA DMZ Interface setup

johng231
Level 3
Level 3

‎08-19-2009 05:50 AM - edited ‎03-11-2019 09:07 AM

Hey Everyone,

I was wondering what would be the ideal performance for placing the DMZs on either a physical interface or logical interface. We are using ASA 5550s, the outside is setup on GIG 0/0 and the inside is setup on GIG 1/0 for optimal performance. The ASA 5550 documentation talks about placing the outside and inside on separate PCI bus(s) to achieve maximum performance. They don't mention of having a DMZ on either bus 1 or bus 2. I'm guessing you can place it on the same bus as your inside, since the DMZ talks to the outside for hosting services but you also have a lot of backend applications that needs to communicate to your DMZ.

Labels:
0 Helpful
2 Replies 2

nisgupta
Cisco Employee
Cisco Employee

‎08-19-2009 11:16 PM

It all depends upon amount of the traffic. If the traffic between the outside and the dmz interface is more than b/w the inside and dmz then it would be better to put the interface on that bus where the inside interface is located otherwise on put the interface on the outside's interface bus.

If you please let me know the 'show traffic' output of the firewall then I could suggest you where to install(like which bus) the interface.

The key to install the interface is depends upon on the amount of traffic is being passed and it could analyised by looking at the 'show traffic' output of the firewall.

Thanks & Regards

Nishant Gupta

Network Engineer

CCIE (Security) # 20256

0 Helpful

johng231
Level 3
Level 3
In response to nisgupta

‎08-20-2009 07:37 AM

Thanks for the information. We are replacing our PIX-535(s) with ASAS 5550 (s). The output below is from one of our PIX-535(s). I plan on having the outside on gig0/0, inside gig 0/1, and the DMZ on gig 1/0. The inside traffic would never traverse GIG 0/0 so I think it makes sense to have it on GIG 0/1. What do you think?

ryefwpixec# show traffic

outside:

received (in 2612362.232 secs):

674063447 packets 1859648235 bytes

1 pkts/sec 1 bytes/sec

transmitted (in 2612362.232 secs):

2290961969 packets 1180576502 bytes

0 pkts/sec 1 bytes/sec

inside:

received (in 2612362.232 secs):

496137622 packets 3425637339 bytes

0 pkts/sec 1000 bytes/sec

transmitted (in 2612362.232 secs):

2568127494 packets 1471274881 bytes

1 pkts/sec 0 bytes/sec

FailureNet:

received (in 2612362.232 secs):

558787 packets 12476048 bytes

0 pkts/sec 1 bytes/sec

transmitted (in 2612362.232 secs):

89473942 packets 2812506396 bytes

1 pkts/sec 1000 bytes/sec

intf3:

received (in 2612362.232 secs):

0 packets 0 bytes

0 pkts/sec 0 bytes/sec

transmitted (in 2612362.232 secs):

0 packets 0 bytes

0 pkts/sec 0 bytes/sec

Ecom-DMZ:

received (in 2612362.232 secs):

2254395416 packets 4231996422 bytes

1 pkts/sec 1000 bytes/sec

transmitted (in 2612362.232 secs):

2977528782 packets 3794604310 bytes

1000 pkts/sec 1000 bytes/sec

ryefwpixec#

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card