Connect Layer 2 Switch in DMZ to ASA 5510

Unanswered Question
Jul 27th, 2010
User Badges:


I'm pretty new to all this and have read a lot. My situation is as follows:

I've got a 3750 12 port SFP port switch which connects to 48 ethernetport + 4SFP port switches through a trunk (they are also all trunked between each other and then each of them is connected to the 3750 12 port SPF switch (wanted to make a mesh / back up links).  There are 2 vlans (call them A and B) on it and a management vlan. The 12 ports SFP switch then connects to a ASA 5510 inside interface (used ethernet port from ASA side and a GL-T transciever to connect an ethernet cable into the 3750 12 port SFP).  The ASA then connects to the router through its outside interface. Finally, connected to the dmz ASA interface is another 24 port 3550 layer 2 switch. It only has 1 web server on it and is being waster (the 24 port switch has 1 vlan for DMZ and 1 vlan for management). The thee ASA interfaces dmz, inside, outside all have ip addresses and security levels like 100 for insisde, 20 for dmz and 0 for outside.

Now, we bought a 8 port 2960 cisco layer 2 switch. I cannot do ip route so i read that i have to setup a trunk between the layer 2 switch and the firewall and create subinterfaces on the firewall. I setup a single vlan on the 8 port switch and only created one subinterface on the ASA port which was meant for dmz (i did the no shut, no security, no nameif for the physical port and then created subinterface with nameif, security, vlan). I can ping from firewall to the web server and its vlan but the 2 vlans from the inside network (A and B) cannot access the web server.


1. do i need to create a trunk on the ASA sub interface?

2. do i make the inside Vlan A and B access the web server in DMZ through access-lists or do i need to something else?

3. I've got Vlan A and B but for some reason when I click on a computer on vlan A for instance and do start run and enter the ip address of a server on vlan B it prompts me for username and password - I do not want A and B to see each other nor communicate at all (so I dont even want computer on Vlan B to access servers on Vlan A).

I've also noticed by installeing Windows 2008 server compared to Windows 2003 when i do start run and type in an ip of any computer on the same Vlan i can access its shared without username and password - but I don't think this is down to Cisco but actually Windows (obviously would want users to give credentials)!

Hope someone can help out!

Thanking you in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mudubai04 Fri, 07/30/2010 - 11:54
User Badges:

Sorted out:

1. No need for trunk on ASA side - just need to create subinterface

3. sorted out this one by blocking vlans through access-lists on the core switch - so cannot ping any longer, etc.

Still trying to figure out the second one though...any help/ideas appreciated.


waltermavely Fri, 07/30/2010 - 23:05
User Badges:


    1. How your ASA configured with nat-control or no nat-control. by default nat control is disabled (no nat-control version 7.2 or later) . if you enable nat control you have to do natting for dmz interface this is one case

you can check with this command " show run nat-control "

2. If you are doing natting inside host going to outside


nat  (inside)  1 x.x.x.x x.x.x.x

global (outside) 1 x.x.x.x (or interface )

then you need global command for DMZ zone also

global ( DMZ) 1 x.x.x x ( or interface ) or you can exempt natting to dmz

nat ( inside) 0 access-list inside_to_dmz

access-list inside_to_dmz extended permit ip x.x.x.x x.x.x.x (inside-sublnet) x.x.x.x x.x..x (dmz-subnet) default higher security to less traffic allowed so need access list in inside interface

4.if you want ping servers in the dmz you need to enable inspect icmp packet

policy-map global_policy
class inspection_default
    inspect icmp

hope this is helpfull for you


mudubai04 Sun, 08/01/2010 - 03:39
User Badges:

Yup, am using NAT.

Thing is if i am creating the logical subinterface on the ethernet0/2 port for the DMZ connection between the ASA and the Layer 2 switch, i still use the name of the logical subinterface in the global (dmz) command, not the physical interface name, right?  Will try this out and let you know how it goes.


mudubai04 Thu, 08/05/2010 - 13:31
User Badges:

yup sorted it out - i just realised that the layer 2 switch had a defined ip took that off. so bottom line:

ASA - issue no shutdown command for interface ethernet 2

interface ethernet0/2

no shut

- setup up logical interface

interface ethernet0/2.5

vlan 5

nameif dmz

security-level 20

ip address

and then on layer 2 switch one port is to be trunked

switchport mode trunk (on the 2960 no need to type switchport encap dot1q as it is automatically added when you type switchport mode trunk)

switchport allowed vlan 5

and then on layer 2 switch on second port plug in the web server.

add a vlan to database for instance:

vlan 5

and then add vlan 5 to one of switch ports

switchport mode access

switchport access vlan 5

i've added the ip default gateway to be

et voila! all sorted - works like a charm. Thank you very much for helping out walter.


This Discussion