ASA 5510: Enabling a second DMZ

vitute2006 · ‎06-13-2006

Hi:

I?ve just bought an ASA5510-AIP10-K9

(ASA 5510 Appliance with AIP-SSM-10, SW, 3FE, 3DES/AES) to implement perimeter security. I planned to use only 1 DMZ but things have changed, and now I need to implement a second DMZ. The ASA-5510 has 4 ports in-built but in mine only 3 are available. How can I enable the fourth port (2nd DMZ)? Someone told me about a license, but I don?t find info about it. Please help me.

dbakula01 · ‎06-13-2006

you could just put a switch or hub off of that port you are using as the DMZ and its treated just like it's own network that you can limit what data goes in and out it.

Or if you need 2 different DMZ's for some reason just treat another port of it as a seperate network and make some access-lists to restrict traffic

brooks-el · ‎06-19-2006

I do not believe you can change that. The 5510 only has the three interfaces even though there are 4 physical ones. This is a model limitation, not a licensing issue.

You can, however, get around this by trunking that third port down to a switch and creating two DMZ's sharing one interface. So, on the switch that the DMZ port is plugged into, do the following.

1. Create 2 VLAN's (1 for each DMZ)

2. Configure teh port that the DMZ port is plugged into to be a trunk port with those two VLAN's.

On the ASA do the following. Create two interfaces and map them to the two VLAN's being trunked to from the switch. You will know have 2 DMZ's sharing the same interface...

If you require more information, check out trunking in the configuration guide for the OS level you are using.