How to setup DMZ switch and ASA

NetworkMonkey101 — Wed, 19 Apr 2023 16:01:44 GMT

Hi all,

I am attempting to setup a DMZ client, switch and ASA. Currently the DMZ switch can ping the DMZ gateway of 172.16.1.1 but the client cannot. What am I missing?

DMZ

#show run
Building configuration...

Current configuration : 3696 bytes
!
! Last configuration change at 15:52:40 UTC Wed Apr 19 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname DMZ
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
no ipv6 cef
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description DMZ > ASA
switchport access vlan 500
switchport mode access
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 30
media-type rj45
negotiation auto
!
!
interface Vlan500
ip address 172.16.1.2 255.255.255.0
!
ip default-gateway 172.16.1.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
end

------------------------------------------------------------------------------

ASA

ciscoasa# show run
: Saved

:
: Serial Number: 9A3B848QTNH
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 3500 MHz, 1 CPU (2 cores)
:
ASA Version 9.16(2)
!
hostname ciscoasa
domain-name TEST.local
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no management-only
nameif MGMT
security-level 100
ip address 10.255.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name TEST.local
same-security-traffic permit inter-interface
pager lines 23
logging enable
logging timestamp
logging buffer-size 99999
logging trap debugging
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu MGMT 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
icmp permit any DMZ
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
router eigrp 1
network 10.1.1.0 255.255.255.0
network 172.16.1.0 255.255.255.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 MGMT
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
!!!!
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect snmp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:b3d33d8e3c9e429cefa8b91c4c686667
: end
ciscoasa#

-----------------------------------------------------------------------------

DMZ CLIENT

PC3> show ip

NAME : PC3[1]
IP/MASK : 172.16.1.100/24
GATEWAY : 172.16.1.1
DNS :
MAC : 00:50:79:66:68:01
LPORT : 20149
RHOST:PORT : 127.0.0.1:20150
MTU : 1500

PC3>

Re: How to setup DMZ switch and ASA

Rob Ingram — Wed, 19 Apr 2023 16:07:00 GMT

@NetworkMonkey101 the interface PC3 is connected to is not in the correct VLAN, it's in VLAN 30 but should be in VLAN 500.

Change to:

interface GigabitEthernet0/1
switchport access vlan 500

Re: How to setup DMZ switch and ASA

NetworkMonkey101 — Wed, 19 Apr 2023 16:26:45 GMT

Thanks I have change this, and now able to ping the DMZ GW from the DMZ client.

Also is this the correct way to setup my VLANs, the core has a VLAN 500 but in a different network which I had intended to use as a Management network but now I am using VLAN 500 in my DMZ with a different subnet.

DMZ switch

Vlan500 172.16.1.2 YES manual up up

Access switch

Vlan500 10.1.1.3 YES NVRAM up up

Core switch

Vlan500 10.1.1.2 YES NVRAM up up

Doesn't seem right to be using VLAN 500 in the DMZ with 172.16.1.X...

Re: How to setup DMZ switch and ASA

MHM Cisco World — Wed, 19 Apr 2023 16:30:51 GMT

since there is L3 device (FW) between SW you can use same VLAN.
there is no problem BUT you must sure you config FW with router port not as subinterface

Re: How to setup DMZ switch and ASA

Rob Ingram — Wed, 19 Apr 2023 16:33:34 GMT

@NetworkMonkey101 well it's a different VLAN 500 on the DMZ, the DMZ switch won't know about the other VLAN 500 the other side of the firewall. Just change it to something different if you wish.

Re: How to setup DMZ switch and ASA

NetworkMonkey101 — Wed, 19 Apr 2023 16:44:41 GMT

Thank you both for your help, onto the next part of the topology 🙂

Re: How to setup DMZ switch and ASA

MHM Cisco World — Wed, 19 Apr 2023 17:07:15 GMT

You are welcome

topic How to setup DMZ switch and ASA in Network Security

How to setup DMZ switch and ASA

Re: How to setup DMZ switch and ASA

Re: How to setup DMZ switch and ASA

Re: How to setup DMZ switch and ASA

Re: How to setup DMZ switch and ASA

Re: How to setup DMZ switch and ASA

Re: How to setup DMZ switch and ASA