Re: 'Logical' DMZ?

Scott Pickles · ‎01-27-2012

I have an ASA 5510 and I need to implement a DMZ. I know I can either plug devices directly into a port on the ASA or use subinterfaces to create multiple DMZs with different levels of access if I don't have enough ports, and then use a switch. So we create the IP addresses on the interface, plug in our device (switch or PC) and the interface comes up. Is there any way to have virtual machines within our network on a physical machine be in different zones in the firewall (i.e. one on the inside, another in a DMZ for example)? I think the only thing here isn't really so much related to the ASA as much as it is whether or not the physical server's NIC can support trunking and plug into the ASA directly or to the switch, correct? If I were to add multiple sub-interfaces to a port on the ASA, and I wanted one VM to be inside and another to be in the DMZ, is that doable considering there is already an interface on the ASA defined as 'Inside' (i.e. if I try to add a subinterface that contains a 'secondary' IP address that participates in the same VLAN/subnet as the Inside interface I'll have an overlap)? An just to be sure, there's no way to make a logical DMZ inside the ASA that isn't actually bound to a physical port like creating SVIs on a L3 switch, correct? If there were, then I could just trunk the physical machine to the network and have each of the VMs participate in the zone they are intended to be in based on the VLAN tagging. I'll try to get a diagram together that addresses this more clearly.

Regards,
Scott

Scott Pickles · ‎01-27-2012

Here's a topology:

Jeff Van Houten · ‎01-28-2012

on the VMware host you are going to create a virtual switch. Each port on that switch can be set to a specific vlan. However, for ease of understanding it may be preferable to create 2 virtual switches, one internal and one dmz. If you have 2 nics available then you can hook one to the internal network and one to the dmz. That will allow you to have both internal and dmz vms on he same physical host.

Sent from Cisco Technical Support iPad App

Scott Pickles · ‎01-30-2012

@Jeff

The problem isn't so much on the server side as much as it is on the ASA side. If I try to create a trunk to the ASA for this machine and I want one of the VMs on the inside, I'd have to do something like this:

interface GigabitEthernet0/0

description Outside

ip address 192.168.1.1 255.255.255.0

name Outside

security-level 0

interface GigabitEthernet0/1

description Inside

ip address 192.168.2.1 255.255.255.0

name Inside

security-level 100

interface GigabitEthernet0/2.10

description DMZ

vlan 10

name DMZ

security-level 50

interface GigabitEthernet0/2.??

description Inside

vlan ??

name Inside-Too

security-level ??

Since I already have a layer 3 interface defined for the Inside interface, I don't have any VLAN tags for it locally on the ASA to tag this sub-interface with. I also can't define the sub-interface as 192.168.2.2 to make it part of the Inside subnet because that overlaps with Gig0/1. I suppose in this case I'd have to create another 'Inside' interface of security-level 99 or something and then just make sure that the ASA has the NAT rules and ACL rules to allow that traffic from the Gig0/2 sub-interface back inside. The ASA isn't going to allow me to create a logical layer 3 address like an SVI on a Layer 3 switch so that I could then just apply the VLAN tag to both interface Gig0/1 and Gig0/2.??, nor can I add a VLAN tag to the subnet I define on Gig0/1.

Jeff Van Houten · ‎01-30-2012

looking at your drawing it seems like the logical solution is to add another nic to the server and route the dmz traffic by itself for that one vm.

Sent from Cisco Technical Support iPad App

integreon · ‎01-30-2012

Scott,

Do not create sub interfaces. Instead configure 'permit ip' ACL to allow one of the VM IP to access inside network.

Sent from Cisco Technical Support iPad App