ASA 5520 with three interfaces - inside, outside, and now newly created DMZ - all physical interfaces on the FW
Inside interface is connected directly to layer 2 switch with port on switch set as access port for a specific VLAN 601
This layer 2 switch has a trunking port set up over to a layer 3 6509 switch where all the vlans are defined and the SVI are configured and inter vvlan routing is working between about 7 or 8 internal VLANS
I've created the new DMZ physical interface and brough it up with an IP and subnet
I've cabled this port over to the layer 2 switch where the new DMZ vlan has been created and I set the switchport to that vlan as an access port
I know the new DMZ vlan is being allowed over the trunk to the layer 3 6509 switch
I have created the VLAN on the 6509 switch as well (We don't use VTP)
Set a switchport on the 6509 as an access port and attached a PC with IP settings including setting the GW to 172.16.15.1 which is the DMZ int IP
What would be some ideas for finsihing the config so the routing works as intended and security contexts are maintained?
You don't want the DMZ vlan to be allowed on the trunk link to the 6500 only the inside vlan should be allowed on that trunk.
The 6500 does not need the vlan in it's vlan database and you certainly wouldn't want an SVI for it as it would route straight to the DMZ without going via the inside and vice versa which if you are hosting services in the DMZ would be avery bad idea.
All the 6500 needs to be able to do is route to the DMZ and if you already have internet i assume there is a default route on the 6500 pointing to the ASA inside interface so you won't need an additional route.
In terms of finishing it off it all depends what you are putting in the DMZ, who needs access to it and what access the DMZ devices need so it's a bit difficult to say without knowing further details.
Edit - Couple of other points -
1) if the only reason for a trunk between the 6500 and 2960 is for the inside and DMZ vlans then you do not need a trunk it could just be an access port in the vlan used for the 6500 to ASA inside interface. However you may need another vlan if you use a separate management vlan for your switches.
2) i'm assuming you have enough ports on the 2960 switch for all the DMZ devices. If you don't then yes you could run the vlan back to the 6500 although you wouldn't configure an SVI but this would not be ideal ie. for a device inside to get to a DMZ device it would go -
PC -> 6500 -> trunk link -> 2960 -> inside ASA -> dmz -> 2960 -> trunk link -> 6500 -> dmz device
Okay, i can understand why you need to do that now.
Thinking I need a static route now defined on the 6509 to the int of the DMZ on FW and a route on the FW back?
The route for the DMZ subnet would point to the inside interface of the ASA not the DMZ interface. It has to because you do not have an SVI for the DMZ subnet on the 6500 (and you shouldn't) so it can't route direct to the DMZ. I'm assuming you wouldn't want this anyway ie. routing directly both ways between the 6500 and the DMZ without going via the firewall.
Whether or not you actually need a route on the 6500 depends on your current routes. If you had a default route pointing to the inside interface of the ASA anyway for internet then that would also take care of the new DMZ subnet. If you don't then yes you would probably need a route as described above.
In terms of a return route again it depends. If the ASA is already being used for internet again routes should already be in place on the ASA for all the internal subnets. If not then yes the ASA would need to have routes for the internal subnets so that communcation would work between the internal subnets and the DMZ subnet.
VLAN needs to be created and defined on FW then? Usually this is done on our Catalyst 6509 which is why I'm a little confused. Only thing that has been done on FW is INT created/configured and enabled.
Right now host is configured with IP address in vlan, GW & subnet properly defined, vlan created on both switches, and vlan being trunked between switches. Cannot ping DMZ INT from host connected to the 6509.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...