Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA interface connnection to Inside and to DMZ

Hello

 

I am in the process of moving my current single Internet/VPN link to a dual link on different ASA and ISP providers.

 

 

I want to create a INSIDE interface on my ASA 5545x that will directly connect to my Nexus 7k Distribution device(s)

Currently the Inside interface of the ASA5520 is from a Vlan that was created on the Nexus 7k.

It would seem simple enough to follow that same design albeit using different vlan and ip scheme.

 

I also need to create a DMZ interface on the ASA to my Nexus 7K distribution device.

Currently the DMZ interface of the ASA5520 is from a Vlan that was created on the ASA and then trunked

It would seem simple enough to follow that same design albeit using different vlan and ip scheme.

 

Is there a best practice approach document or advise that someone would pass along

 

 

 

sMc
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The Cisco Secure Data center

The Cisco Secure Data center reference designs don't specifically address DMZ. However, this is a very common setup for ASAs.

The real wrinkles come in on the switching side. You have the option of using physically separate switches (which you have already decided not to do) and, given a Nexus 7k core, the next option is how to separate the DMZ and inside security zones. The most secure, given a standard 7k core would be to create a second VDC for the DMZ with no layer 3 services and have the ASA's DMZ interface be the default gateway for those hosts. A second option on the 7k would be to stick with one VDC but put the DMZ VLAN(s) in either their own VRF or simply make them L2 only on the ASA with the ASA again being the L3 gateway.

There are several other approaches you could take but the ones I just described are the most commonly used ones.

1 REPLY
Hall of Fame Super Silver

The Cisco Secure Data center

The Cisco Secure Data center reference designs don't specifically address DMZ. However, this is a very common setup for ASAs.

The real wrinkles come in on the switching side. You have the option of using physically separate switches (which you have already decided not to do) and, given a Nexus 7k core, the next option is how to separate the DMZ and inside security zones. The most secure, given a standard 7k core would be to create a second VDC for the DMZ with no layer 3 services and have the ASA's DMZ interface be the default gateway for those hosts. A second option on the 7k would be to stick with one VDC but put the DMZ VLAN(s) in either their own VRF or simply make them L2 only on the ASA with the ASA again being the L3 gateway.

There are several other approaches you could take but the ones I just described are the most commonly used ones.

36
Views
0
Helpful
1
Replies