How to create 2 DMZs

haroldgonzales · ‎02-02-2012

Hi,

I wanted to know how to create two DMZ with different network. 10.0.1.0 and 10.0.2.0.

Also, I want to know how the inside interface can have access on them

Thanks

Harold

andyjames · ‎02-03-2012

Harold,

What hardware are you using for this?

Andy.

jyothydas · ‎02-03-2012

subinterface and do.

haroldgonzales · ‎02-03-2012

I'm using Cisco 5505. The software is ver 8.2

Sent from my iPad

Julio Carvajal · ‎02-03-2012

Hello,

If you have the base license you will not be able to do it ( will need to get the security plus license)

Just in case you have the security plus license

-Interface vlan 3

-nameif dmz1

-ip add 10.0.1.1 255.255.255.0

-no shut

-security level 50

interface ethernet 0/3

switchport access vlan 3

-Interface vlan 4

-nameif dmz2

-ip add 10.0.2.1 255.255.255.0

-no shut

-security level 50

interface ethernet 0/4

switchport access vlan 4

Inside interface or vlan usually has a security level of 100 so you do not need any ACL to allow the communication, all you need is

nat (inside) 1 0 0

global (dmz1) 1 interface

global (dmz2) 1 interface

Do Rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

haroldgonzales · ‎02-06-2012

Thank you for the info. I appreciate it. I will try this config and will let you know.

JohnTylerPearce · ‎02-06-2012

If you set both interfaces as the same security level they will not be able to communicate by default. You can

change this with a configuration command. So if those 2 interfaces are NOT to communicate the configuration

that jcarva suggested would be an easy solution

haroldgonzales · ‎02-06-2012

Thank you. I appreciate it. I will try this and will let you know.

Julio Carvajal · ‎02-06-2012

Hello Harold,

Sure, just let me know.. I will be more than glad to help and follow up this ticket.

Regards,

Julio

Do rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

haroldgonzales · ‎02-06-2012

Hi,

I had tried it but still can not access it from the Internet? Would you know how the users access the DMz1 using port sftp? And Dmz2 using port 80?

My outside ip Interfaces is 12.0.12.84

Thanks

Julio Carvajal · ‎02-06-2012

Hello,

So you are running a security plus license!

Ok lets say they need to access DMZ2 web server with ip address 192.168.12.2

and DMZ1 with a SFTP server with the ip of 192.168.13.2

So he will receive inbound connections from the outside:

static (dmz1,outside) tcp 12.0.12.84 80 192.168.13.2 80

static (dmz2,outside) tcp 12.0.12.84 222 192.168.13.2 22

access-list outside_in permit tcp any host 12.0.12.84 eq 80

access-list outside_in permit tcp any host 12.0.12.84 eq 222

access-group outside_in in interface outside

Regards,

Julio

Do rate all helpful hosts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

haroldgonzales · ‎02-06-2012

Thank you.. I will try this. I appreciate it.

haroldgonzales · ‎02-06-2012

Quick question: is the sftp protocol number is 222 or 22 only?

Yes, I'm using a security plus license. Thank you.

Julio Carvajal · ‎02-06-2012

Hello,

It uses port 22!

Do rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

haroldgonzales · ‎02-09-2012

It works well. Thanks