Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
154
Views
0
Helpful
1
Replies

ASA interface connnection to Inside and to DMZ

Go to solution
Steve Coady
Level 1
Level 1

‎10-20-2014 07:31 AM

Hello

 

I am in the process of moving my current single Internet/VPN link to a dual link on different ASA and ISP providers.

 

 

I want to create a INSIDE interface on my ASA 5545x that will directly connect to my Nexus 7k Distribution device(s)

Currently the Inside interface of the ASA5520 is from a Vlan that was created on the Nexus 7k.

It would seem simple enough to follow that same design albeit using different vlan and ip scheme.

 

I also need to create a DMZ interface on the ASA to my Nexus 7K distribution device.

Currently the DMZ interface of the ASA5520 is from a Vlan that was created on the ASA and then trunked

It would seem simple enough to follow that same design albeit using different vlan and ip scheme.

 

Is there a best practice approach document or advise that someone would pass along

 

 

 

sMc
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-20-2014 12:14 PM

The Cisco Secure Data center reference designs don't specifically address DMZ. However, this is a very common setup for ASAs.

The real wrinkles come in on the switching side. You have the option of using physically separate switches (which you have already decided not to do) and, given a Nexus 7k core, the next option is how to separate the DMZ and inside security zones. The most secure, given a standard 7k core would be to create a second VDC for the DMZ with no layer 3 services and have the ASA's DMZ interface be the default gateway for those hosts. A second option on the 7k would be to stick with one VDC but put the DMZ VLAN(s) in either their own VRF or simply make them L2 only on the ASA with the ASA again being the L3 gateway.

There are several other approaches you could take but the ones I just described are the most commonly used ones.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-20-2014 12:14 PM

The Cisco Secure Data center reference designs don't specifically address DMZ. However, this is a very common setup for ASAs.

The real wrinkles come in on the switching side. You have the option of using physically separate switches (which you have already decided not to do) and, given a Nexus 7k core, the next option is how to separate the DMZ and inside security zones. The most secure, given a standard 7k core would be to create a second VDC for the DMZ with no layer 3 services and have the ASA's DMZ interface be the default gateway for those hosts. A second option on the 7k would be to stick with one VDC but put the DMZ VLAN(s) in either their own VRF or simply make them L2 only on the ASA with the ASA again being the L3 gateway.

There are several other approaches you could take but the ones I just described are the most commonly used ones.

0 Helpful
Customers Also Viewed These Support Documents