topic Re: 2 VLANs in DMZ in Network Security

2 VLANs in DMZ

wojtek666 — Wed, 13 Mar 2019 01:05:28 GMT

Hello,

On our ASA 5520 I have the following config:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 218.257.136.133 255.255.255.224 standby 218.257.136.134

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.231.52.1 255.255.255.0 standby 10.231.52.3

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

Both g0/0 and 0/1 are connected to a cisco 4500 core switch physically. Now I'm not sure how to approach having two separated vlans in the DMZ that I would want to put on g0/2. One would be 172.16.30.0/24 and other 172.16.33.0/24. I was thinking of creating subinterfaces on the ASA and assigning proper IP on each one and on the switch side I would make the interface a trunk allowing both vlans. The problem is I canot create a subinterface on the ASA - it does not allow me to apply the changes in ASDM and CLI says:

Haddad/2(config)# int g 0/2.1

ERROR: % Invalid input detected at '^' marker.

Haddad/2(config)#

Any idea wh I would not be able to create the subinterface on the ASA, or perhaps any other suggestion how I could make the DMZ with 2 vlans? Also there is 4 physical interfaces on the ASA yet I only see 3 in the config and in ASDM and I'm not sure why. I just took over and i don't have any kind of a documentation for the network so any help would be greatly appreciated. thanks in advance

Voyteck

Re: 2 VLANs in DMZ

Jouni Forss — Fri, 02 Aug 2013 20:25:56 GMT

Hi,

Would this by any chance be a ASA pair running in Multiple Context mode?

An Active/Active pair?

This would mean that you CAN NOT configure new interface under a Security Context but rather you would have to configure subinterfaces with Vlans under System Context space and attach those subinterfaces under the Security Context that needs them. Then those Subinterfaces would show up under the Security Context configuration and could be assigned "nameif" , "security-level" and "ip address" amont other things.

- Jouni

2 VLANs in DMZ

wojtek666 — Fri, 02 Aug 2013 20:28:50 GMT

Yes, but I believe they would be in the active/standby but I might be wrong

Re: 2 VLANs in DMZ

Jouni Forss — Fri, 02 Aug 2013 20:37:42 GMT

Hi,

Well if you can use CLI then this can be checked by going to the System Context configuration space and issuing the command

show run context

It should show if Security Contexts are configured to different Failover Groups.

Or you might be able to check this with command

show run failover

But wether its a Active/Standby or Active/Active you would have to configure new interfaces on the System Context first

You for example check the configuration of GigabitEthernet0/2 in the System Context

show run interface GigabitEthernet0/2

If it doesnt have any configurations you could for example do

Configuring Interfaces in System Context

interface GigabitEthernet0/2

description DMZ Trunk

interface GigabitEthernet0/2.100

description DMZ1

vlan 100

interface GigabitEthernet0/2.200

description DMZ2

vlan 200

Adding Subinterfaces Under the Security Context

context CONTEXT-NAME

allocate-interface GigabitEthernet0/2.100

allocate-interface GigabitEthernet0/2.200

Moving to under the Security Context

changeto context CONTEXT-NAME

Configuring the Subinterfaces under Security Context

interface GigabitEthernet0/2.100

description DMZ1

nameif dmz1

security-level 50

ip add 172.16.30.1 255.255.255.0 standby 172.16.30.2

interface GigabitEthernet0/2.200

description DMZ2

nameif dmz2

security-level 50

ip add 172.16.33.1 255.255.255.0 standby 172.16.33.2

I would suggest going through the setup though and not just configuring these in the ASA.

The above should give you an example of adding the interfaces in a Multiple Context mode ASA

Hope this helps

- Jouni

Re: 2 VLANs in DMZ

wojtek666 — Tue, 06 Aug 2013 14:47:35 GMT

Hi,

Thank you for the reply.

I cannot change the context to system - it does not allow me

Haddad/2# changeto system

Command not valid in current execution space

Haddad/2#

Any suggestions here? Thanks in advance

2 VLANs in DMZ

Jouni Forss — Tue, 06 Aug 2013 15:06:22 GMT

Hi,

Does the following command produce any output

show run prompt

It would seem to me that you would be under some Security Context as "Haddad/2" cant be a "hostname" of ASA.

- Jouni

Re: 2 VLANs in DMZ

wojtek666 — Tue, 06 Aug 2013 15:09:45 GMT

I get this:

Haddad/2# sho run prompt

ERROR: % Invalid input detected at '^' marker.

Haddad/2# sho run prompt

ERROR: % Invalid input detected at '^' marker.

Re: 2 VLANs in DMZ

wojtek666 — Tue, 06 Aug 2013 15:14:38 GMT

"^" is under prompt

2 VLANs in DMZ

Jouni Forss — Tue, 06 Aug 2013 15:22:27 GMT

Well this is strange.

For example the command

prompt

The only configuration mode under which this cant be used is under a Security Context

Yet you cant even change to the System Context space?

I guess we would need to see the firewall configuration because I am not sure what the problem is. If you cant even create an subinterface of a physical interface that the ASA holds then it would point to a situation that you are under a Security Context which doesnt allow creating an interface.

- Jouni

Re: 2 VLANs in DMZ

wojtek666 — Tue, 06 Aug 2013 15:42:01 GMT

If I do show context I get the following:

Haddad/2# sho context

Context Name Class Interfaces URL

2 default GigabitEthernet0/0, disk0:/context2.cfg

GigabitEthernet0/1,

GigabitEthernet0/2

Haddad/2#

So it looks like there is a context on this device nammed "2." I still cannot change to system though. If I go to the failover device I change contexts with no problem:

Haddad/admin# sho context

Context Name Class Interfaces URL

*admin default GigabitEthernet0/0, disk0:/admin.cfg

GigabitEthernet0/1,

GigabitEthernet0/2

Haddad/admin# change

Haddad/admin# changeto sys

Haddad/admin# changeto system

Haddad# change to admin

ERROR: % Invalid input detected at '^' marker.

Haddad# changeto admin

ERROR: % Invalid input detected at '^' marker.

Haddad# changeto conte

Haddad# changeto context admin

Haddad/admin#

Haddad/2# sho context
Context Name      Class      Interfaces           URL
2                default    GigabitEthernet0/0, disk0:/context2.cfg
                             GigabitEthernet0/1,
                             GigabitEthernet0/2
Haddad/2#

Maybe I could add another context that I could switch to system from? Also if I create a new context a my device is running in prod and I'm doing this during business hours any risks I should be aware of (like device having to reboot, disconnecting user sessions, etc). Thank you

2 VLANs in DMZ

Jouni Forss — Tue, 06 Aug 2013 15:54:04 GMT

Hi,

Seems you use a bit wrong command formats above (though you found the correct one)

The following command should be able to change you to System Context from under any Security Context

changeto system

The following command should be able to change you to the Security Context of your choice from any other Context or System Context

changeto context

The following command should enable you to show a cleare output of all the contexts configured on the device. Use it in System Context space

show run context

To my understanding your purpose was to use the Gi0/2 as a Trunk for DMZ purposes. So first you would need to check its configurations. If its already in some use then it will be harder to do the change in a production environment

You can use the following command in System Context space to list the current interface configurations

show run interface

To my understanding all commands should be supported whichever unit you are logged in on. Naturally all configuratins should be done on the Active unit or the configuration will be out of sync.

- Jouni