Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Physical DMZ vs. DMZ "Layer" upstream...

I have seen two ways to deploy DMZ's. One has an interface off the ASA become a DMZ and then you configure all the associated rules, NAT etc for traffic flow, inside to DMZ and DMZ to inside.

I have also see ASA's deployed with a simple Inside and Outside port arrangement with a DMZ layer present just inside the ASA inside interface and then another firewall (ASA or FWSM) upstream from that. Is one better than the other, or, more recommendable than the other?

The DMZ services in this case can be considered to be, email server, web portal, in-line IDS.


Re: ASA Physical DMZ vs. DMZ "Layer" upstream...

You are referring to the ROuted & Transparent mode of Firewalling.

See the following Link for more details

HTH - Please Rate if it helps

New Member

Re: ASA Physical DMZ vs. DMZ "Layer" upstream...

No, this isn't what I am referring to. I simply asking if having a dmz vlan and an inside vlan from the same ASA running through the same phsycial switch (logical separation vs. physical separation) is viewed as a best practice?

It used to be viewed as a not optimal solution because you are one command in the switch away from having your dmz lan linked directly to your inside secure network, completely bypassing the firewall.


Re: ASA Physical DMZ vs. DMZ "Layer" upstream...

I've never seen anything suggesting one way is better than the other. But if i'm reading correctly, it sounds like in the second scenario, the dmz is 'inline' with all inbound data. personally, i wouldn't want all inbound/outbound traffic passing through a dmz.

New Member

Re: ASA Physical DMZ vs. DMZ "Layer" upstream...

I can understand that alright. Sort of why I'm asking. Though, in this layered approach there is typically another layer of firewall that separates the inbound traffic from the DMZ traffic. The DMZ traffic is inline with the inbound data prior to the first front-line firewall in any case...that first firewall serving as a first layer of defense for access-list acceptance and deep inspection.