Connect ASA to VLAN switch for a DMZ?

jamesgonzo · ‎02-03-2008

Hi, I have a ASA 5520 and a Cisco 3560 switch. I want to create a couple of DMZ/VLANs on the switch to house some web servers on one and the other will be for testing. I have created the 2 vlans (I think) on the switch:

VLAN2 = IP 172.16.1.1/24

VLAN3 = IP 172.16.2.1/24

VLAN1 seems to be the global VLAN for the switch or something else, am I right?

I have connect port 1 on the switch to 0/2 on the ASA. I will add the routes on the LAN to point to the ASA for these 2 networks, but what else do I need to do? Do I have to trunk the 2 and tell the ASA about these 2 VLAN's somehow?

Thanks

Fernando_Meza · ‎02-03-2008

Hi ..

Yes you need to configure a trunk between the port connected to the 0/2 port on the ASA and the switch. The port on the ASA needs to be configured with virtual interfaces. For example you will need to use the command

interface gigabitethernet 0/2.2

vlan 2

no shut

ip address x.x.x.x

interface gigabitethernet 0/2.3

vlan 3

no shut

ip address x.x.x.x

The above will create a trunk on gigabitethernet 0/2 for VLANs 2 and 3. You also need to allocate an IP address, name and security level to each subinterface. The following link might give you an idea.

I hope it helps .. please rate it if it does !!!

http://cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

http://cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html

jamesgonzo · ‎02-07-2008

Thanks, just picked this up. What would I need to do on the trunk port on the switch side?

ptenggren · ‎02-11-2008

switchport trunk encapsulation dot1q

switchport mode trunk