Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505: expanding a DMZ with a VLAN

Hi all. Here is my situation. On our ASA 5505 We have a DMZ configured to use 2 ports, which are used by the mail and Web servers. So far everything works perfectly and this router has been very stable. Now I need to add more ports in order to accomodate prototype Web servers in the DMZ, but no more ports available on the Cisco. Looking through the ASDM though I noticed the DMZ seems to be configured as "VLAN 5", sure enough with VLAN ID 5. So I tried creating a VLAN with ID 5 in my ProCurve switch, isolated from other VLANs. My theory being that plugging on of the the router's DMZ interfaced onto this VLAN would allow me to add my test servers. Well, this seems to work, but for only a very short time. I can get the landing page from my test server to display, and then everything slows down to a crawl and communication seems to be blocked. Out of curiosity, I tried to put my prod server and email server on the VLAN, together and separately, but the same thing happens. At first, I can ping the machines, then after a few request, everything stops responding. I obviously got something wrong but after sifting through every configuration I am still back to square one. Does anyone have a suggestion?

Everyone's tags (4)
1 REPLY
New Member

ASA 5505: expanding a DMZ with a VLAN

Hi,

Sounds like you could be creating a loop ?   Does the switch already connect to any of the other ports on the ASA, specially in the same VLAN ?

As far as I know the ASA5505 doesn't support spanning tree, so I'd assume the network would become unstable if a loop exists.

Easiest way to test this is to connect a complete stand alone switch to one of your interfaces on the the ASA and see if you get the same problem. My assumption is you won't.

You can definately connect a switch to one of the ports to expand the port capacity, obviously sharing the bandwidth of the single port.

Hope it helps..

David

937
Views
0
Helpful
1
Replies
CreatePlease to create content