Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLANs behind CSM plan on the ASA 5505

I am a new guy to ASA firewall. I hope I could get your help to my question.

We have a new ASA 5505 with Security Plus license. we will connect it to our L2 switch (access layer). There are four Vlans realted to this ASA.

Vlan10: internal users vlan

VLAN20: CSM VIP vlan

VLAN30: CSM real (backend)servers vlan

VLAN40: application servers

I would like to use three ports on the ASA since I will divide into three legs. One is inside for vlan10. The second one is Dmz1 for CSM VIP, the third one is DMZ2 for application servers. I have a question to the second leg. Since thesse servers are built on the VMware instead of phycial box, should I setup this port as trunk port (allow vlan20,vlan30) on the ASA? Do I need to create a sub interface for it?

I will apprecaite it if you could give me any suggestions

1 REPLY
Hall of Fame Super Blue

Re: VLANs behind CSM plan on the ASA 5505

HWangLoyalty wrote:

I am a new guy to ASA firewall. I hope I could get your help to my question.

We have a new ASA 5505 with Security Plus license. we will connect it to our L2 switch (access layer). There are four Vlans realted to this ASA.

Vlan10: internal users vlan

VLAN20: CSM VIP vlan

VLAN30: CSM real (backend)servers vlan

VLAN40: application servers

I would like to use three ports on the ASA since I will divide into three legs. One is inside for vlan10. The second one is Dmz1 for CSM VIP, the third one is DMZ2 for application servers. I have a question to the second leg. Since thesse servers are built on the VMware instead of phycial box, should I setup this port as trunk port (allow vlan20,vlan30) on the ASA? Do I need to create a sub interface for it?

I will apprecaite it if you could give me any suggestions

If i understand your setup correctly no you shouldn't. You only want traffic to go to the VIP and not the real addresses so you should only allow vlan 20 on that link.

Of course if you want to be able to access both the VIPs and the real addresses through the ASA you would need to set it up as a trunk.

Jon

202
Views
0
Helpful
1
Replies