Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

'Logical' DMZ?

I have an ASA 5510 and I need to implement a DMZ.  I know I can either plug devices directly into a port on the ASA or use subinterfaces to create multiple DMZs with different levels of access if I don't have enough ports, and then use a switch.  So we create the IP addresses on the interface, plug in our device (switch or PC) and the interface comes up.  Is there any way to have virtual machines within our network on a physical machine be in different zones in the firewall (i.e. one on the inside, another in a DMZ for example)?  I think the only thing here isn't really so much related to the ASA as much as it is whether or not the physical server's NIC can support trunking and plug into the ASA directly or to the switch, correct?  If I were to add multiple sub-interfaces to a port on the ASA, and I wanted one VM to be inside and another to be in the DMZ, is that doable considering there is already an interface on the ASA defined as 'Inside' (i.e. if I try to add a subinterface that contains a 'secondary' IP address that participates in the same VLAN/subnet as the Inside interface I'll have an overlap)?  An just to be sure, there's no way to make a logical DMZ inside the ASA that isn't actually bound to a physical port like creating SVIs on a L3 switch, correct?  If there were, then I could just trunk the physical machine to the network and have each of the VMs participate in the zone they are intended to be in based on the VLAN tagging.  I'll try to get a diagram together that addresses this more clearly.

Regards,
Scott

Everyone's tags (4)
5 REPLIES
New Member

Re: 'Logical' DMZ?

Here's a topology:

ASA L2 DMZ.png

Re: 'Logical' DMZ?

on the VMware host you are going to create a virtual switch. Each port on that switch can be set to a specific vlan. However, for ease of understanding it may be preferable to create 2 virtual switches, one internal and one dmz. If you have 2 nics available then you can hook one to the internal network and one to the dmz. That will allow you to have both internal and dmz vms on he same physical host.

Sent from Cisco Technical Support iPad App

New Member

Re: 'Logical' DMZ?

@Jeff

The problem isn't so much on the server side as much as it is on the ASA side.  If I try to create a trunk to the ASA for this machine and I want one of the VMs on the inside, I'd have to do something like this:

interface GigabitEthernet0/0

     description Outside

     ip address 192.168.1.1 255.255.255.0

     name Outside

     security-level 0

interface GigabitEthernet0/1

     description Inside

     ip address 192.168.2.1 255.255.255.0

     name Inside

     security-level 100

interface GigabitEthernet0/2.10

     description DMZ

     vlan 10

     name DMZ

     security-level 50

interface GigabitEthernet0/2.??

     description Inside

     vlan ??

     name Inside-Too

     security-level ??

Since I already have a layer 3 interface defined for the Inside interface, I don't have any VLAN tags for it locally on the ASA to tag this sub-interface with.  I also can't define the sub-interface as 192.168.2.2 to make it part of the Inside subnet because that overlaps with Gig0/1.  I suppose in this case I'd have to create another 'Inside' interface of security-level 99 or something and then just make sure that the ASA has the NAT rules and ACL rules to allow that traffic from the Gig0/2 sub-interface back inside.  The ASA isn't going to allow me to create a logical layer 3 address like an SVI on a Layer 3 switch so that I could then just apply the VLAN tag to both interface Gig0/1 and Gig0/2.??, nor can I add a VLAN tag to the subnet I define on Gig0/1.

Re: 'Logical' DMZ?

looking at your drawing it seems like the logical solution is to add another nic to the server and route the dmz traffic by itself for that one vm.

Sent from Cisco Technical Support iPad App

New Member

Re: 'Logical' DMZ?

Scott,

Do not create sub interfaces. Instead configure 'permit ip' ACL to allow one of the VM IP to access inside network.

Sent from Cisco Technical Support iPad App

809
Views
0
Helpful
5
Replies
CreatePlease login to create content