Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA configuration with 2 DMZ


Pls see the attached network diagram.We have recently bought 2 ASA's model 5520. The first ASA is

connected to the internet by a 2800 series router. The first ASA has got 2 DMZ and each DMZ has 2 servers.The servers are our application servers and a database server and two Test

servers. We have got six usable Public IP adress for our use. We want authenticated users from outside to access the application and database servers using vpn.

The second ASA server is on the internal side of the network and is attached to the internal network using a 2800 router. The internal users will be restricted from accesing the servers

located in DMZ1 . We will use access lists based on MAC addresses to allow some users to access the DMZ1 from internal network. Can we use MAC address filtering?

How do I configure the scenario? Can somebody guide me or show me an example of a near similar configuration?

Thanks in advace

New Member

Re: ASA configuration with 2 DMZ

I supposed you want outside user using vpn to access your server in DMZ. yes you can do this either using ssl-vpn or ipsec-vpn. ssl-vpn only need outside user have a explorer and will automatically download a vpn-shell. ipsce-vpn need user install cisco vpn client.

I think you can not set access-list based on source MAC. MAC ACL only works on layer2 environment, so source MAC address does not keep in the IP packet after routered by a router, the source MAC will replaced by router' MAC. IP will keep same through the whole process.

New Member

Re: ASA configuration with 2 DMZ

hi rico,

thnx 4 the response. Can you check my running config attachment and see whether users can access my servers located in DMZ ? I will have a web server and an oracle server in the DMZ. Do I need to give all these server's in the DMZ (4 server in total) static IP or can I use NAT to access these servers.

Also can you please tell me how should the router be configured to allow access to the ASA?

interface GigabitEthernet0/0

description Connected to Router

nameif Outside

security-level 0

ip address 217.x.x.186


interface GigabitEthernet0/1

description Connected to LAN

nameif Inside

security-level 100

ip address


interface GigabitEthernet0/2

description Connected to DMZ1

nameif DMZ1

security-level 50

ip address


interface GigabitEthernet0/3

description Connected to DMZ2

nameif DMZ2

security-level 50

ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list DMZ1_access_in remark HTTP Access to DMZ1 Server1

access-list DMZ1_access_in extended permit tcp any eq www host eq www access-list DMZ2_access_in extended permit tcp any eq www host eq www

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu DMZ1 1500

mtu DMZ2 1500

mtu management 1500

no failover

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

static (DMZ1,DMZ1) netmask

access-group DMZ1_access_in in interface DMZ1

access-group DMZ2_access_in in interface DMZ2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd enable management




prompt hostname context


: end


New Member

Re: ASA configuration with 2 DMZ

honestly i dont think you need two FWs to do what you want to do. I have couple of questions:

1. How do you connect your inside 5520 to DMZ1 and DMZ2?

2. How do you connect the two FWs?