Multiple DMZ ASA help

Answered Question
Oct 22nd, 2009
User Badges:

We have ASA 5520 Cisco Adaptive Security Appliance Software Version 7.2(3).

Current Config for DMZ is :

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address x.x.x.1 255.255.255.0

==================================

I am using all the physical port & need to add another DMZ Segment. I am planning to configure following :


int gi0/2

no nameif dmz

no ip add x.x.x.1 255.255.255.0


int gi0/2.35

nameif dmz

vlan 35

security-level 50

ip add x.x.x.1 255.255.255.0


int gi0/2.36

nameif dmz2

vlan 36

ip add y.y.y.1 255.255.255.0


====================================

I have few question regarding above configuration .

1 Am I on right path or not ?

2 When I will remove dmz from Physical interface to logical interface , what happen to my access-list associated with dmz interface ? do I need to recreate it or moving to logical interface will take care of the config automatically.

Thank you

Viral Patel

Correct Answer by scott-goodwin about 7 years 9 months ago

I beleive you will have to recreate the access-group command to re-apply the access-list as the name removal will delete the associated access-group command.



Thanks


Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
scott-goodwin Thu, 10/22/2009 - 05:24
User Badges:

I beleive you will have to recreate the access-group command to re-apply the access-list as the name removal will delete the associated access-group command.



Thanks


Scott

patelvc7601 Thu, 10/22/2009 - 06:12
User Badges:

I have currently this command applied to access-list dmz_inbound will apply to nameif interface dmz. I am assuming once I make above changes I may have to just reapply .

access-group dmz_inbound in interface dmz


Thank you

Viral Patel

Actions

This Discussion