Solved: Hi ,

Matt Dunleavy · ‎01-03-2017

Hi,

I am looking at using a cisco 3750G with an SVI, How do I setup the ASA to route its DMZ interface to the 3750G and still maintain NAT rules?

Bascailly

Outside ---- > ASA ---> Router (3750G) ---> Server

Pablo · ‎01-03-2017

Matt,

The introduction of the 3750G shouldn't represent much of a difference for the ASA. I'm guessing the current topology and the expected diagram to be as follows:

Current

Outside > ASA - (Subnet X) - Server

Expected

Outside > ASA - (Subnet X) - (SVI) 3750 (SVI) > (Subnet Y) - Server

If I got that right then your NAT is not going to change but you need to add an static route towards the 3750 so it knows how to reach "Subnet Y"

In the other hand, if you plan to leave everything on the "subnet X" and just introduce the 3750 and configure an IP from the current subnet then you don't need to do anything on the ASA.

HTH

__ __

Pablo

View solution in original post

Pablo · ‎01-03-2017

Matt,

The introduction of the 3750G shouldn't represent much of a difference for the ASA. I'm guessing the current topology and the expected diagram to be as follows:

Current

Outside > ASA - (Subnet X) - Server

Expected

Outside > ASA - (Subnet X) - (SVI) 3750 (SVI) > (Subnet Y) - Server

If I got that right then your NAT is not going to change but you need to add an static route towards the 3750 so it knows how to reach "Subnet Y"

In the other hand, if you plan to leave everything on the "subnet X" and just introduce the 3750 and configure an IP from the current subnet then you don't need to do anything on the ASA.

HTH

__ __

Pablo

Matt Dunleavy · ‎01-03-2017

Hi Pablo,

Thank you for the reply,

Currently we have it setup as following

Interface 1: Outside

Interface 2: Inside

Interface 3: DMZ

What I want to do is move the Inside and DMZ to the other side of the router (3750G)

So we will create a new subnet Y and Subnet DMZ and Subnet Inside will be on the other side.

Can you tell me if all all I need to do is

1 remove the current IP from the interfaces,

2 add a new ip to an interface and subnet,

3 set a static route to the router/3750G SVI

and will all the current NAT rules will work?

Pablo · ‎01-03-2017

Hey Matt,

Yeah, the NAT should still work after following the steps you outlined.

The 3750 will also need to be configured with a default route pointing to the ASA internal IP.

If you have any problems with this let me know.

__ __

Pablo

MANI .P · ‎01-04-2017

Hi ,

i think you are looking for similar configuration ?

http://www.cisco.com/image/gif/paws/115904/asa-config-dmz-00.pdf

in that you are added a router inbetween ASA and DMZ.

to bring all the host behind the Router at DMZ , use default or static route from DMZ interface at ASA.

regards,

Mani

Peter Koltl · ‎01-07-2017

It seems to me you intend to connect both inside and DMZ via the new transit Y Vlan. Currently the firewall has 3 connected zones. In the new setup it would have two connected zones: outside and (Y with inside and DMZ). If you want to keep separation between inside and DMZ then you still need 3 connected zones on the firewall. A possible solution is:

Y1 - 3750 - inside

Y2 - 3750vrfDMZ - DMZ

Matt Dunleavy · ‎01-07-2017

The ultimate issue we are trying to solve is data transversing through the ASA between (internal and dmz). We are running web servers on the DMZ and SQL servers on the Internal.

The SQL servers are all bottlenecking when it passes through the ASA a total bandwidth of 650mbits is available for all ports on the ASA. We have found when passing huge amounts of traffic between the DMZ and Internal we achieve 550mbits and the outside drops to around 100mbits.

The idea is to move everything off the ASA so the Layer 3 switch does the intervlan routing and the ASA protects everything from the outside in.

Peter Koltl · ‎01-09-2017

I see but that means you sacrifice security for throughput.

How to forward ASA DMZ to another router and still NAT?