Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

DMZ to ASA to CORE routing changes

I am changing the way Vlans access the CORE network.

 

Currently: The ASA interfaces connect to the DMZ switch stack via trunks. The DMZ switch stack has a trunk to the CORE Network

Several of the sub-interface Vlan(s) on the ASA do not get trunked to the Core.

There are other Vlans on the DMZ switch stack, that are not on the ASA that do get trunked to the core.

 

See diagram_1

 

 

The new way will be to connect any of the Vlans that were trunked to the CORE will now go thru the ASA Inside and DMZ interfaces directly to the CORE.

See Diagram_2

 

I am trying to figure out how to configure the ASA and the DMZ switch to make that happen.

sMc
1 REPLY
New Member

  To possibly refine the

  

To possibly refine the above scenario

The goal: Any vlan that is currently being trunked to Core will now have to pass through the ASA, which will connect to Core.
        Protecting Core behind ASA seems best practice.  


Topology: WAN router connects to DMZ switch. On the DMZ switch there are:

                 TRUNK To CORE passing (8) vlans

                        (2) Vlans have SVI on CORE
                (Server and Netwk Mgmnt)

                        (2) Vlans have an SVI on the DMZ switch & and SVI on the ASA
                (Inside and BP_1)

                        (2) other Vlans have SVI on ASA
                (Internal DMZ and BP_2)

            (2) Vlans have no SVI to be found. Could be Business Partners using L2 across DMZ switch to Core.


The ASA has (4) interface
    0 - OUTSIDE
    1 - INSIDE
    2 - DMZ Trunks (has 6 subinterfaces/vlans. BP_1 lives here and is the Only 1 of these vlans to get trunked to Core)
    3 - InternalDMZ and BP_2

            
The Server and Netwk Mgmnt Vlans have the SVI on the Core.
    How can I get these to pass throught the ASA.
        Create sub-int on ASA for this Vlan
        This means I would have to change the default gateway on the Servers on the DMZ to the ASA sun int.

Anyone have any guidance on this issue?

sMc
250
Views
0
Helpful
1
Replies
CreatePlease to create content