10-20-2014 07:31 AM
Hello
I am in the process of moving my current single Internet/VPN link to a dual link on different ASA and ISP providers.
I want to create a INSIDE interface on my ASA 5545x that will directly connect to my Nexus 7k Distribution device(s)
Currently the Inside interface of the ASA5520 is from a Vlan that was created on the Nexus 7k.
It would seem simple enough to follow that same design albeit using different vlan and ip scheme.
I also need to create a DMZ interface on the ASA to my Nexus 7K distribution device.
Currently the DMZ interface of the ASA5520 is from a Vlan that was created on the ASA and then trunked
It would seem simple enough to follow that same design albeit using different vlan and ip scheme.
Is there a best practice approach document or advise that someone would pass along
Solved! Go to Solution.
10-20-2014 12:14 PM
The Cisco Secure Data center reference designs don't specifically address DMZ. However, this is a very common setup for ASAs.
The real wrinkles come in on the switching side. You have the option of using physically separate switches (which you have already decided not to do) and, given a Nexus 7k core, the next option is how to separate the DMZ and inside security zones. The most secure, given a standard 7k core would be to create a second VDC for the DMZ with no layer 3 services and have the ASA's DMZ interface be the default gateway for those hosts. A second option on the 7k would be to stick with one VDC but put the DMZ VLAN(s) in either their own VRF or simply make them L2 only on the ASA with the ASA again being the L3 gateway.
There are several other approaches you could take but the ones I just described are the most commonly used ones.
10-20-2014 12:14 PM
The Cisco Secure Data center reference designs don't specifically address DMZ. However, this is a very common setup for ASAs.
The real wrinkles come in on the switching side. You have the option of using physically separate switches (which you have already decided not to do) and, given a Nexus 7k core, the next option is how to separate the DMZ and inside security zones. The most secure, given a standard 7k core would be to create a second VDC for the DMZ with no layer 3 services and have the ASA's DMZ interface be the default gateway for those hosts. A second option on the 7k would be to stick with one VDC but put the DMZ VLAN(s) in either their own VRF or simply make them L2 only on the ASA with the ASA again being the L3 gateway.
There are several other approaches you could take but the ones I just described are the most commonly used ones.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide