Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
0
Helpful
1
Replies

VLANs behind CSM plan on the ASA 5505

HWangLoyalty_2
Level 1
Level 1

‎01-07-2010 09:04 AM - edited ‎03-11-2019 09:54 AM

I am a new guy to ASA firewall. I hope I could get your help to my question.

We have a new ASA 5505 with Security Plus license. we will connect it to our L2 switch (access layer). There are four Vlans realted to this ASA.

Vlan10: internal users vlan

VLAN20: CSM VIP vlan

VLAN30: CSM real (backend)servers vlan

VLAN40: application servers

I would like to use three ports on the ASA since I will divide into three legs. One is inside for vlan10. The second one is Dmz1 for CSM VIP, the third one is DMZ2 for application servers. I have a question to the second leg. Since thesse servers are built on the VMware instead of phycial box, should I setup this port as trunk port (allow vlan20,vlan30) on the ASA? Do I need to create a sub interface for it?

I will apprecaite it if you could give me any suggestions

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎01-07-2010 10:08 AM 

HWangLoyalty wrote:
I am a new guy to ASA firewall. I hope I could get your help to my question. 
We have a new ASA 5505 with Security Plus license. we will connect it to our L2 switch (access layer). There are four Vlans realted to this ASA.
Vlan10: internal users vlan
VLAN20: CSM VIP vlan
VLAN30: CSM real (backend)servers vlan
VLAN40: application servers
I would like to use three ports on the ASA since I will divide into three legs. One is inside for vlan10. The second one is Dmz1 for CSM VIP, the third one is DMZ2 for application servers. I have a question to the second leg. Since thesse servers are built on the VMware instead of phycial box, should I setup this port as trunk port (allow vlan20,vlan30) on the ASA? Do I need to create a sub interface for it?
I will apprecaite it if you could give me any suggestions

If i understand your setup correctly no you shouldn't. You only want traffic to go to the VIP and not the real addresses so you should only allow vlan 20 on that link.

Of course if you want to be able to access both the VIPs and the real addresses through the ASA you would need to set it up as a trunk.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card