I've a simple scenario:
1. Firewall ASA 5510 that connects to internet to Fa0/0
2. Layer 3 switch that is connected to Fa0/1 to ASA5510, and have some vlans for users.
Now, I want to implement DMZ zone to firewall, to publish one of the server to outside (internet).
How i've to create this?
i plan to use interface fa0/2 on Cisco ASA 5510, but will i have to connect this cable with Layer 3 switch?
have i to create another VLAN for DMZ in switch?
so, finally, there will be two cables that connects Cisco ASA 5510 and Layer3 switch, one with user VLAN, and another cable with DMZ vlan?
Is this supported?
I guess you have a few options on how to do this
I guess the main questions at this point are
I guess the easies way to determine your current situation would be to see some interface configurations from both ASA and L3 switch.
Or if that is not possible we would need a description on how the network is currently setup before the new DMZ Vlan.
Hope I made any sense
let me give you some information.
First of all, the L3 switch, is doing VLAN Routing, and as default gateway, has IP address of Interface Fa0/1 of Cicso ASA 5510 (inside interface).
All the servers will be running as virtual machines...as in diagram.
Servers will run on VLAN 5.
Now, one of the server that is a virtual machine, will be on DMZ (with yellow).
And here my quesiton comes?
have i to create another VLAN (vlan 10 for example on L3 switch), with no IP address, and connect ASA 5510 fa0/2 to one of its interfaces on VLAN 10, also, the server for dmz?
I am not quite sure how the connection between the actual virtual server and the L3 switch is done but the main thing here is that the connection from the DMZ server all the way to the ASA interface Fa0/2 has to be L2. You wont be configuring any "interface Vlan10" on the L3 switch.
If we take for example a situation where you would connect a DMZ Server directly to some port on the L3 switch then you would configure that physical interface as an Access Mode port for Vlan10 and you would also configure another port that will be connected to the ASA Fa0/2 as an Access Mode port for Vlan10. This should pretty much be it. This will mean that the traffic from the DMZ server will go to the ASA which is its default gateway effectively isolating the server from the rest of the internal Vlans.
I am not sure but I guess it might even be that your virtual machines are connected by Trunk to your L3 switch? In that case naturally Vlan10 would be on that Trunk but the interface leading to the ASA Fa0/2 would still be an Access Mode port for Vlan10.
Hope this made sense and helped
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed though.
Why i don't have to configure another VLAN 10 on L3 Switch?
put some ports on it as access ports, and put these ports to VLAN 10.
Then, the fa0/2 from Cisco ASA 5510 connect to one of these ports on VLAN 10 and put some the server on DMZ to another port of this VLAN 10.
What is wrong with this design?
As I said, you wont configure "interface Vlan10" as this would only be required for L3 purposes which is not the goal here.
You will however naturally create the L2 Vlan10. I was talking about the L3 interface as the thing you wont need to configure. If you configured a L3 Vlan interface with an IP address then traffic flow from the DMZ would be affected.
You just have to make sure that the L2 Vlan10 is created on the switch and its configured all the way from the interface connected to the server to the interface which connects to the ASA.
You wont need the "interface Vlan10" as its only for L3 purposes. Your actual L2 Vlan10 wont need the interface and without and IP address I dont think it really serves any purpose in this situation.
So for example in a Cisco switch where you have Vlan10 and 2 Access Mode ports
description DMZ Server
switchport mode access
switchport access vlan 10
description DMZ link to ASA
switchport mode access
switchport access vlan 10
Or something like the above. As you can see we didnt configure any "interface Vlan10" as its not needed.
Naturally the actual interface configurations depends on the device you are using and how the server is connected to that device.
Yes, i mean only to create the VLAN (as you have done in description)
NO IP Address to it.
So the question is...
Will be any issues with this scenario?
Or everything is good.
Well you wont configure IP address anywhere as we are not configuring anything related to L3 on the switch.
What I have done above is create the L2 Vlan10 and assigned 2 switchports to this Vlan10.
Naturally the actual configurations you should enter depend on how the new DMZ server is connected to the switch? Is the Vlan10 perhaps added to some trunk interface that is connected to some server hardware which runs the virtual servers or will the DMZ server actually have its own physical access port.
This setup should work. Naturally I have not seen your actual configurations but the basic idea is to have the DMZ server on Vlan10 and have a connection from Vlan10 to the interface Fa0/2 of ASA where the actual gateway IP address is configured.
All traffic from the DMZ network to any other network OR any traffic destined to the DMZ network has to go through the ASA so you will be able to control traffic from and to the DMZ network as was the idea to my understanding.
Thank you Jouni,
I had a DMZ vlan interface on my L3 switch. I'm glad I ran into your post. Wiped the DMZ SVI and everything worked as I expected.