Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to create 2 DMZs

Hi,

I wanted to know how to create two DMZ with different network. 10.0.1.0 and 10.0.2.0.

Also, I want to know how the inside interface can have access on them

Thanks

Harold

15 REPLIES
New Member

How to create 2 DMZs

Harold,

What hardware are you using for this?

Andy.

New Member

How to create 2 DMZs

subinterface and do.

New Member

Re: How to create 2 DMZs

I'm using Cisco 5505. The software is ver 8.2

Sent from my iPad

Re: How to create 2 DMZs

Hello,

If you have the base license you will not be able to do it ( will need to get the security plus license)

Just in case you have the security plus license

-Interface vlan 3

-nameif dmz1

-ip add 10.0.1.1 255.255.255.0

-no shut

-security level 50

interface ethernet 0/3

switchport access vlan 3

-Interface vlan 4

-nameif dmz2

-ip add 10.0.2.1 255.255.255.0

-no shut

-security level 50

interface ethernet 0/4

switchport access vlan 4

Inside interface or vlan usually has a security level of 100 so you do not need any ACL to allow the communication, all you need is

nat (inside) 1 0 0

global (dmz1) 1 interface

global (dmz2) 1 interface

Do Rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: How to create 2 DMZs

Thank you for the info. I appreciate it. I will try this config and will let  you know.

Re: How to create 2 DMZs

If you set both interfaces as the same security level they will not be able to communicate by default. You can

change this with a configuration command. So if those 2 interfaces are NOT to communicate the configuration

that jcarva suggested would be an easy solution

New Member

Re: How to create 2 DMZs

Thank you. I appreciate it. I will try this and will let  you know.

Re: How to create 2 DMZs

Hello Harold,

Sure, just let me know.. I will be more than glad to help and follow up this ticket.

Regards,

Julio

Do rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: How to create 2 DMZs

Hi,

I had tried it but still can not access it from the Internet? Would you know how the users access the DMz1 using port sftp? And Dmz2 using port 80?

My outside ip Interfaces is 12.0.12.84

Thanks

Re: How to create 2 DMZs

Hello,

So you are running a security plus license!

Ok lets say they need to access DMZ2 web server with ip address 192.168.12.2

and DMZ1 with a SFTP server with the ip of 192.168.13.2

So he will receive inbound connections from the outside:

static (dmz1,outside) tcp  12.0.12.84 80 192.168.13.2 80

static (dmz2,outside) tcp 12.0.12.84 222 192.168.13.2 22

access-list outside_in permit tcp any host 12.0.12.84 eq 80

access-list outside_in permit tcp any host 12.0.12.84 eq 222

access-group outside_in in interface outside

Regards,

Julio

Do rate all helpful hosts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: How to create 2 DMZs

Thank you.. I will try this. I appreciate it.

New Member

Re: How to create 2 DMZs

Quick question: is the sftp protocol number is 222 or 22 only?

 

Yes, I'm using a security plus license. Thank you.

Re: How to create 2 DMZs

Hello,

It uses port 22!

Do rate all the helpful posts!!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: How to create 2 DMZs

It works well. Thanks

Re: How to create 2 DMZs

Hello Harold,

Great to hear that, please mark the question as answered so future users can learn from this.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
406
Views
11
Helpful
15
Replies
CreatePlease to create content