Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Advice - URGENT

Hi,

Need advice on the following scenario...

We have ASA 5510 and need to have 6DMZ.

With limited ports how its possible.

We dont want DMZ to communicate with other DMZ

Is Sub-Interface only Solution??

10 REPLIES
New Member

Re: Advice - URGENT

I would say sub-Interface is the option you should use.

How many actual interfaces do you have?

Re: Advice - URGENT

As previous poster indicated, create sub interfaces. Your 5510 has 5 10/100 pysical ports one out of those is a MGT port, technically you have 4 FE ports. With base license this model can support up to 50 virtual interfaces , with security plus up to 100 virtual interfaces. With just one fE port you could have your 6 DMZ networks by creating logical sub-interfaces off one FE port and assign each with unique VLANID and security levels. Look into bellow links 802.1q on ASA and trunk the ASA fe port to switch to pass all the DMZ vlans to switch, create the 6 DMZ vlans on the switch .

ASA 5500 Virtual interfaces

http://www.cisco.com/en/US/docs/security/asa/asa70/release/notes/asa_rn.html#wp208880

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intrface.html

5510 Model specs VLANs support

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

rate any helpful posts

HTH

Jorge

New Member

Re: Advice - URGENT

Thanks for the Great information.

i will have

FE0/0 connected to outside

FE0/1 connected to inside

FE0/2 connected to Layer2 switch

I will create VLAN on firewall

VLAN 1, VLAN 2, VLAN 3 , VLAN 4 , VLAN 5 , VLAN6.

now I need to create subinterfaces on port FE 0/2.

Q1> What is the command / config required on FE0/2 for sub-interface..

Q2> I dont want each VLAN to communicate with each other.. so what is reqd?

q3> what config is required so that inside and outside can communicate with these DMZ

Re: Advice - URGENT

Follow these , lets do this together as I have to upgrade our 515Es next year with ASA5510 as well .

As soon as you configure subinterface 802.1q vlan trunking is automatically enabled with no other commands required.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.pdf

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1049732

make sure you have already created the vlans on the switch and a alocated port for the trunk connection with ASA FE0/2 port.

e.g.

switch(config)#int fe0/24 "switchport mode trunk " or encasulation dot1.q

e.g using vlans 2, repeat for 3,4,5,6,7

place question mark for sub interface#

asa(config)#interface ethernet0/2.?

or

asa(config)#interface ethernet0/2.2

asa(config-subif)#vlan 2

asa(config-subif)#nameif DMZ2

asa(config-subif)#Ip address 2.2.2.1 255.255.255.0

asa(config-subif)#security-level XX

let me knoe how it goes.

Rgds

Jorge

New Member

Re: Advice - URGENT

assuming the attached diagram ; where the VLANS would be created.. ( L2-2960 switch or 4500 switch )

how would I ensure that Two VLANS doesnt communicate with each other..

Using Sub-Interfaces will there be any performance issues....

What config is required if I want Two VLANS to communicate with each other.....

Re: Advice - URGENT

Amind, in your original post your requirements are to create 6 DMZ networks, if I understand correctly you have a DMZ switch based in your diagram topology and one inside 4500 switch. The DMZ is usually where you would want to create your DMZ networks for your external vendor connections which will required access control lists permisions to communicate with inside network, if this is not correct please indicate otherwise.

By creating subinterfaces and indicating security levels in each will determin comminication by way of access-list between them.

refer to enabling/disabling comminications

between interfaces, sub-interfaces are consider interfaces.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html

I have not read of performance issues when using subinterfaces and 802.1q.

New Member

Re: Advice - URGENT

Thanks for the great Link.

If Possible can you send me the sample configuraiton of sub-interface scenario.

Re: Advice - URGENT

This could be an example for four DMZ subnets on ASA

interface Ethernet0/2

description physical port 802.1Q TRUNK to SWITCH

no nameif

no security-level

no ip address

no shutdown

interface Ethernet0/2.2

vlan 102

nameif DMZ2

security-level 50

ip address 2.2.2.1 255.255.255.0

!

interface Ethernet0/2.3

vlan 103

nameif DMZ3

security-level 49

ip address 3.3.3.1 255.255.255.0

interface Ethernet0/2.4

vlan 104

nameif DMZ4

security-level 48

ip address 4.4.4.1 255.255.255.0

interface Ethernet0/2.5

vlan 105

nameif DMZ5

security-level 47

ip address 5.5.5.1 255.255.255.0

etc..

////////////////////////////

General info on VLANs and trunking configuration

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_sea/configuration/guide/swvlan.html#wp1441674

This could be example for switch config, create VLANS and allocate a port for 802.1q trunk.

on the switch config something like this:

vlan database

vtp domain DMZ

vtp mode transparent

vlan 102 name DMZ2_2.2.2.0_subnet

vlan 103 name DMZ2_3.3.3.0_subnet

vlan 104 name DMZ2_4.4.4.0_subnet

vlan 105 name DMZ2_5.5.5.0_subnet

etc..

allocate one port on switch to conect ASA FE0/2 interface and create trunk

e.g

interface fastethernet0/24

Description Connection to ASA5510_FE0/2

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

no shutdown

interface fastethernet0/1

Description DMZ2_VENDOR_A_SERVER_A

switchport access Vlan 102

speed 100

duplex full

no ip address

no shutdown

interface fastethernet0/1

Description DMZ3_VENDOR_B_SERVER_A

switchport access Vlan 103

speed 100

duplex full

no ip address

no shutdown

interface fastethernet0/1

Description DMZ4_VENDOR_C_SERVER_A

switchport access Vlan 104

speed 100

duplex full

no ip address

no shutdown

interface fastethernet0/1

Description DMZ5_VENDOR_D_SERVER_A

switchport access Vlan 105

speed 100

duplex full

no ip address

no shutdown

Rate any helpful post

HTH

Jorge

New Member

Re: Advice - URGENT

Thanks.

If I want VLAN 104 to communicate with VLAN 105 then the only requriment is to make both security level same.

I would make an access-list for inside ; access-list for Outside ;;; But how could the access-list applied for each DMZ ( I need to have multiple access-list or single access-list ) .....

Is There a tool (Simulator) to test the configuration without testing on ASA box.

Re: Advice - URGENT

Amind, when VLAN104 and VLAN 105 are assign same security level in their interfaces begining in code 7.2x you may apply "same-security-traffic permit inter-interface"only if you do not want to apply access list between the two same security interfaces and they can communicate without any access lists. In other words if VLAN 104 and VLAN 105 have security of 50 without using "same-security-traffic permit inter-interface " in global configutation mode you are then instructing firewall to have access-list configured for communicatying between VLAN105 and VLAN 105 subnets.

This comes from the latest ciscopress ASA Security firewalling instructions .

ON you question

" I would make an access-list for inside ; access-list for Outside ;;; But how could the access-list applied for each DMZ ( I need to have multiple access-list or single access-list ) ..... "

Create access list from DMZ to outside follow the same principle in creating inbound or outbound access lists and apply then to interface either DMZ1, DMZ 2, or outside ..

I would recommen you get from Ciscopress ASA/PIX/FWSM handbook second edition which will help you understand clearly .. visit

http://www.ciscopress.com

I am not aware of good firewall simulators wher you can simulate what you need, I have seen PIX software simulators but they are introductory simulators.

If you have your firewall in production I assume you have not yet worked with your DMZ subnets if so you can start working with creating the subnets and testing by using perhaps two laptops to test comunications between different DMZ subnets.. I will be more than happy to work with you on this.

Rgds

Jorge

153
Views
10
Helpful
10
Replies
CreatePlease to create content