I have an ASA 5510 and I need to implement a DMZ. I know I can either plug devices directly into a port on the ASA or use subinterfaces to create multiple DMZs with different levels of access if I don't have enough ports, and then use a switch. So we create the IP addresses on the interface, plug in our device (switch or PC) and the interface comes up. Is there any way to have virtual machines within our network on a physical machine be in different zones in the firewall (i.e. one on the inside, another in a DMZ for example)? I think the only thing here isn't really so much related to the ASA as much as it is whether or not the physical server's NIC can support trunking and plug into the ASA directly or to the switch, correct? If I were to add multiple sub-interfaces to a port on the ASA, and I wanted one VM to be inside and another to be in the DMZ, is that doable considering there is already an interface on the ASA defined as 'Inside' (i.e. if I try to add a subinterface that contains a 'secondary' IP address that participates in the same VLAN/subnet as the Inside interface I'll have an overlap)? An just to be sure, there's no way to make a logical DMZ inside the ASA that isn't actually bound to a physical port like creating SVIs on a L3 switch, correct? If there were, then I could just trunk the physical machine to the network and have each of the VMs participate in the zone they are intended to be in based on the VLAN tagging. I'll try to get a diagram together that addresses this more clearly.
on the VMware host you are going to create a virtual switch. Each port on that switch can be set to a specific vlan. However, for ease of understanding it may be preferable to create 2 virtual switches, one internal and one dmz. If you have 2 nics available then you can hook one to the internal network and one to the dmz. That will allow you to have both internal and dmz vms on he same physical host.
The problem isn't so much on the server side as much as it is on the ASA side. If I try to create a trunk to the ASA for this machine and I want one of the VMs on the inside, I'd have to do something like this:
ip address 192.168.1.1 255.255.255.0
ip address 192.168.2.1 255.255.255.0
Since I already have a layer 3 interface defined for the Inside interface, I don't have any VLAN tags for it locally on the ASA to tag this sub-interface with. I also can't define the sub-interface as 192.168.2.2 to make it part of the Inside subnet because that overlaps with Gig0/1. I suppose in this case I'd have to create another 'Inside' interface of security-level 99 or something and then just make sure that the ASA has the NAT rules and ACL rules to allow that traffic from the Gig0/2 sub-interface back inside. The ASA isn't going to allow me to create a logical layer 3 address like an SVI on a Layer 3 switch so that I could then just apply the VLAN tag to both interface Gig0/1 and Gig0/2.??, nor can I add a VLAN tag to the subnet I define on Gig0/1.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :