Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Creating a DMZ on ASA

We have an existing an ASA that we want to configure a DMZ. A secure FTP server with public IP will be connected to the DMZ.

Is the configuration as simple as,

1. Configure the new interface with security level,

2. enable routing statement,

3. enable access list to allow traffic to the FTP server.

Employees on the LAN and others would access the FTP through the Internet. NAT is presently done by the outside int. of ASA.

Would configuring the DMZ effect production/network connectivity?

Thanks.

Said

3 REPLIES

Re: Creating a DMZ on ASA

Said,

I do not see a reason of network interuption by configuring new interface for your DMZ network, however, it is of good practice to making major FW changes during non-production hours.

You may want to reference these two links which resambles your scenarion and requirements.

FTP - ASA firewalls

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

DMZ config scenarion

http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/dmz.html

HTH

Jorge

New Member

Re: Creating a DMZ on ASA

Jorge,

Thank you.

Said

Re: Creating a DMZ on ASA

Said, you are welcome.

I also want to provide additional information regarding the creation of another interface. I should have added in previous post, that, in the scenario where you have a physical and wanted to split the interface using 802.1q into several logical interfaces say one logical be your new DMZ network,and that interface is for example your inside interface or any other interface in production, you may have network disruption during the creation of trunking and other required initial configuration.

Now,if you have free physical interface not bound to any configuration other than be dedicated for DMZ network there should not be network disruption in relation to other active interfaces.

HTH

Jorge

353
Views
5
Helpful
3
Replies