01-29-2008 08:54 AM - edited 03-11-2019 04:55 AM
My manager told me that we can have up to 16 DMZs on our ASA 5540 and he would like to have a 2nd DMZ configured. what does that mean by 16 DMZ's? Also, how do I configure the management interface for a 2nd DMZ? Many thanks in advance.
Solved! Go to Solution.
01-29-2008 01:15 PM
Vinnie,
If you look at asa5540 specifications it can support up to 200 VLANS, these could be 200 DMZs how this is done it all depends how you want to spread your DMZs with respect to the integrated Ethernet ports, management interface is for management, many folks out there have used ASA management interface
as a routed interface, if you would want to create a DMZ off the management interface it is also possible but will need to be configure it as a 802.1q trunk port to split the interface into two logical inetrfaces.
For the 16 DMZs You will also have to use trunking and allocate a FE or fiber port on the ASA for trunking to switch.
Lets asume for sake of example you want to configure four out of the 16 DMZ and that you have already allocated a switch for your DMZ/subnets where your DMZ hosts will be connected.
You will need to create 16 vlans and corresponding switchport vlan#s on switch.
To summarize here are some steps on how it could be done only using 1 GigabitEthernet port off the ASA5540 firewall for all teh DMZs, you could either use copper port or fire port as the 5540 does have spf capabilities.
steps
1-Create your 16 vlans in an alocated DMZ switch
2-Allocate an RJ-45 gigabit CAPABALE Ethernet port or spf on switch to configure it with 802.1q trunking to an allocated gigabitethernet port on ASA
3-Create subinterfaces in ASA - define IP scheme for each OF THE 16 SUBINTERFACES
4-Define security level requirements for each of the subinterfaces. you could use same security level on each subinterfaces
and if you do not want comminication between them but use ACLs to allow communication between subinterfaces you can use "no same-security-traffic permit inter-interface" command.
5- for internet access you could use your outside interface to PAT inside nets for outbound internet connections for your
DMZ hosts.
Example.
Assume you have 4 networks 2.2.2.0, 3.3.3.0, 4.4.4.0, 5.5.5.0 for four DMZs
ASA5540
interface gigabitethernet 1/port
media-type sfp --> or use media-type rj45 if using fw copper port
speed nonegotiate
nameif LAN
security-level 50
no ip address
interface gigabitethernet0/1.2
interface Ethernet0/2.2
vlan 2
nameif DMZ2
security-level 50
ip address 2.2.2.1 255.255.255.0
interface gigabitethernet0/1.3
vlan 3
nameif DMZ3
security-level 50
ip address 3.3.3.1 255.255.255.0
interface gigabitethernet0/1.4
vlan 4
nameif DMZ4
security-level 50
ip address 4.4.4.1 255.255.255.0
interface gigabitethernet0/1.4
vlan 5
nameif DMZ5
security-level 50
ip address 5.5.5.1 255.255.255.0
global (outside) 1 interface
nat(DMZ2) 1 2.2.2.0 255.255.255.0
nat(DMZ3) 1 3.3.3.0 255.255.255.0
nat(DMZ4) 1 4.4.4.0 255.255.255.0
nat(DMZ5) 1 5.5.5.0 255.255.255.0
Switch:
vlan database
vtp transparent
vtp domain test_lab
vtp password cisco
vlan 2 name DMZ2_2.2.2.0/24
vlan 3 name DMZ3_3.3.3.0/24
vlan 4 name DMZ4_4.4.4.0/24
vlan 5 name DMZ5_5.5.5.0/25
etc....
Interface gigabitethernet0/48
Description trunk_Connection_ASA_Ethernet03
speed auto
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3,4,5
interface fastethernet0/1
Description DMZ2_VerdorA_ip_2.2.2.20
speed 100
duplex full
switchport acces vlan 2
no shut
interface fastethernet0/2
Description DMZ3_Verdorb_ip_3.3.3.40
speed 100
duplex full
switchport access vlan 3
no shut
etc...
refer to this link on how to using subinterfaces.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html
refer to this link for asa5540 specifications
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
if you have any other questions please let us know.
Rgds
Jorge
Rate any posts that is helpfull to you
01-29-2008 01:15 PM
Vinnie,
If you look at asa5540 specifications it can support up to 200 VLANS, these could be 200 DMZs how this is done it all depends how you want to spread your DMZs with respect to the integrated Ethernet ports, management interface is for management, many folks out there have used ASA management interface
as a routed interface, if you would want to create a DMZ off the management interface it is also possible but will need to be configure it as a 802.1q trunk port to split the interface into two logical inetrfaces.
For the 16 DMZs You will also have to use trunking and allocate a FE or fiber port on the ASA for trunking to switch.
Lets asume for sake of example you want to configure four out of the 16 DMZ and that you have already allocated a switch for your DMZ/subnets where your DMZ hosts will be connected.
You will need to create 16 vlans and corresponding switchport vlan#s on switch.
To summarize here are some steps on how it could be done only using 1 GigabitEthernet port off the ASA5540 firewall for all teh DMZs, you could either use copper port or fire port as the 5540 does have spf capabilities.
steps
1-Create your 16 vlans in an alocated DMZ switch
2-Allocate an RJ-45 gigabit CAPABALE Ethernet port or spf on switch to configure it with 802.1q trunking to an allocated gigabitethernet port on ASA
3-Create subinterfaces in ASA - define IP scheme for each OF THE 16 SUBINTERFACES
4-Define security level requirements for each of the subinterfaces. you could use same security level on each subinterfaces
and if you do not want comminication between them but use ACLs to allow communication between subinterfaces you can use "no same-security-traffic permit inter-interface" command.
5- for internet access you could use your outside interface to PAT inside nets for outbound internet connections for your
DMZ hosts.
Example.
Assume you have 4 networks 2.2.2.0, 3.3.3.0, 4.4.4.0, 5.5.5.0 for four DMZs
ASA5540
interface gigabitethernet 1/port
media-type sfp --> or use media-type rj45 if using fw copper port
speed nonegotiate
nameif LAN
security-level 50
no ip address
interface gigabitethernet0/1.2
interface Ethernet0/2.2
vlan 2
nameif DMZ2
security-level 50
ip address 2.2.2.1 255.255.255.0
interface gigabitethernet0/1.3
vlan 3
nameif DMZ3
security-level 50
ip address 3.3.3.1 255.255.255.0
interface gigabitethernet0/1.4
vlan 4
nameif DMZ4
security-level 50
ip address 4.4.4.1 255.255.255.0
interface gigabitethernet0/1.4
vlan 5
nameif DMZ5
security-level 50
ip address 5.5.5.1 255.255.255.0
global (outside) 1 interface
nat(DMZ2) 1 2.2.2.0 255.255.255.0
nat(DMZ3) 1 3.3.3.0 255.255.255.0
nat(DMZ4) 1 4.4.4.0 255.255.255.0
nat(DMZ5) 1 5.5.5.0 255.255.255.0
Switch:
vlan database
vtp transparent
vtp domain test_lab
vtp password cisco
vlan 2 name DMZ2_2.2.2.0/24
vlan 3 name DMZ3_3.3.3.0/24
vlan 4 name DMZ4_4.4.4.0/24
vlan 5 name DMZ5_5.5.5.0/25
etc....
Interface gigabitethernet0/48
Description trunk_Connection_ASA_Ethernet03
speed auto
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3,4,5
interface fastethernet0/1
Description DMZ2_VerdorA_ip_2.2.2.20
speed 100
duplex full
switchport acces vlan 2
no shut
interface fastethernet0/2
Description DMZ3_Verdorb_ip_3.3.3.40
speed 100
duplex full
switchport access vlan 3
no shut
etc...
refer to this link on how to using subinterfaces.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html
refer to this link for asa5540 specifications
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
if you have any other questions please let us know.
Rgds
Jorge
Rate any posts that is helpfull to you
01-29-2008 01:37 PM
Very complete and useful info.
Thanks Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: