Multiple DMZ ASA help

Answered Question
Oct 22nd, 2009

We have ASA 5520 Cisco Adaptive Security Appliance Software Version 7.2(3).

Current Config for DMZ is :

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address x.x.x.1 255.255.255.0

==================================

I am using all the physical port & need to add another DMZ Segment. I am planning to configure following :

int gi0/2

no nameif dmz

no ip add x.x.x.1 255.255.255.0

int gi0/2.35

nameif dmz

vlan 35

security-level 50

ip add x.x.x.1 255.255.255.0

int gi0/2.36

nameif dmz2

vlan 36

ip add y.y.y.1 255.255.255.0

====================================

I have few question regarding above configuration .

1 Am I on right path or not ?

2 When I will remove dmz from Physical interface to logical interface , what happen to my access-list associated with dmz interface ? do I need to recreate it or moving to logical interface will take care of the config automatically.

Thank you

Viral Patel

Correct Answer by scott-goodwin about 7 years 4 months ago

I beleive you will have to recreate the access-group command to re-apply the access-list as the name removal will delete the associated access-group command.

Thanks

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer
scott-goodwin Thu, 10/22/2009 - 05:24

I beleive you will have to recreate the access-group command to re-apply the access-list as the name removal will delete the associated access-group command.

Thanks

Scott

patelvc7601 Thu, 10/22/2009 - 06:12

I have currently this command applied to access-list dmz_inbound will apply to nameif interface dmz. I am assuming once I make above changes I may have to just reapply .

access-group dmz_inbound in interface dmz

Thank you

Viral Patel

Actions

This Discussion