HWangLoyalty wrote:
I am a new guy to ASA firewall. I hope I could get your help to my question.
We have a new ASA 5505 with Security Plus license. we will connect it to our L2 switch (access layer). There are four Vlans realted to this ASA.
Vlan10: internal users vlan
VLAN20: CSM VIP vlan
VLAN30: CSM real (backend)servers vlan
VLAN40: application servers
I would like to use three ports on the ASA since I will divide into three legs. One is inside for vlan10. The second one is Dmz1 for CSM VIP, the third one is DMZ2 for application servers. I have a question to the second leg. Since thesse servers are built on the VMware instead of phycial box, should I setup this port as trunk port (allow vlan20,vlan30) on the ASA? Do I need to create a sub interface for it?
I will apprecaite it if you could give me any suggestions
If i understand your setup correctly no you shouldn't. You only want traffic to go to the VIP and not the real addresses so you should only allow vlan 20 on that link.
Of course if you want to be able to access both the VIPs and the real addresses through the ASA you would need to set it up as a trunk.
Jon