if u have free port interface on ur asa u can make a vlan on the switch and because it is L3 switch u can either creat SVI or routed interface on the switch belong to that vlan subnet and connected to the ASA port and configure it as DMZ
if u dont have enough port u can do the same thing on the switch creat VLANs and make the port to the ASA as trunk and on the ASA cear subinterfaces and each subinterface can be treated as separte interface with all configs like security level IPs but keep in mind the ASA u se do1q trunking so make the switch trunk as dot1q
in both solusions dont make routing in the switch instead make the communications between VLANs thorugh the ASA to achieve ur requirement as a saparte DMZ
It really doesn't matter on which switch you do it, i would rather suggest you create sub-interfaces on the inside interface of ASA 5520, and assign differnt vlans to each sub-interface. However, do keep in mind that sub-interfaces in ASA are bit tricky than the sub-interfaces in routers. Keep an eye on term "L2 decode error" in sh interface..It is just like Vlan mismatch sort of error, to give you hint to check your vlan settings and connections.
Here is the link to configure virtual interface on ASA.
No problem, I have a Cisco ASA 5520 and I want to create some VLAN's for webservers and maybe some other VLAN's in the future for other projects. I would like them to be firewalled throught the ASA. I have a spare 3750, and it seems the best approach as I only have 1 spare gigabit port left (inside, outside, failover, spare).
Is is a good approach to trunk off the 5520 into the 3750 and create subinterfaces?
make subinterfaces on the spare and it will already trunk it with do1q on the switch side amke dot1q trunk and creat vlans on the 3750 switch but dont not make any routing between throse vlans on the switch as u want the commnunication between them to be firewalled through the ASA
only what u need is to give each sub interface security level and ip address and vlan number corsponding to tthe vlan on the switch
on the hosts make the default gateway the subinterface of the ASA in the corsponding vlan
and then u can make ACLs and whatever u want to control the communication between ASA interfaces subinterfaces and non-subinterfaces
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...