Solved: Configure DMZ on an ASA 5510

CITIEngineer · ‎03-04-2013

Good Morning All,

I am confiuging a DMZ on my ASA 5510 but I have run out of physical ports, since I have dual Wan ports configured. I plan to implement a DMZ using subinterfaces. I have 2 questions:

1) Do I need to configure a Vlan to complete this task?

2) Do I need to re-configure the other interfaces for subinterfaces and/or vlans as well?

Thanks

William

Jouni Forss · ‎03-04-2013

Hi,

I am afraid that you will have to convert an existing interface to be used as a trunk interface for this purpose.

The Cisco ASA doesnt really give you a smooth way to do this change. The most important thing related to the ASA configurations that you have to notice that as soon as you start changing a single physical interface to be used as Trunk, you will be removing almost all of its configurations. (Namely the "nameif")

What this will do is that all the configurations referring to the "nameif" on the original physical interface will be removed and need to be entered manually for things to work again. There doesnt seem to be any way around this fact.

To prepare for such a change I usually take the output of

show run | inc

So that I get a list of all configurations referring to the interface that already existed.

The configuration might be something like this Before and After the changes

Before

interface GigabitEthernet0/0

description LAN

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

After

interface GigabitEthernet0/0

description LAN and DMZ Trunk

no nameif

no security-level

no ip add

interface GigabitEthernet0/0.10

vlan 10

description LAN

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

interface GigabitEthernet0/0.20

vlan 20

description DMZ

nameif dmz

security-level 50

ip add 10.10.20.1 255.255.255.0

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎03-04-2013

Hi,

I am afraid that you will have to convert an existing interface to be used as a trunk interface for this purpose.

The Cisco ASA doesnt really give you a smooth way to do this change. The most important thing related to the ASA configurations that you have to notice that as soon as you start changing a single physical interface to be used as Trunk, you will be removing almost all of its configurations. (Namely the "nameif")

What this will do is that all the configurations referring to the "nameif" on the original physical interface will be removed and need to be entered manually for things to work again. There doesnt seem to be any way around this fact.

To prepare for such a change I usually take the output of

show run | inc

So that I get a list of all configurations referring to the interface that already existed.

The configuration might be something like this Before and After the changes

Before

interface GigabitEthernet0/0

description LAN

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

After

interface GigabitEthernet0/0

description LAN and DMZ Trunk

no nameif

no security-level

no ip add

interface GigabitEthernet0/0.10

vlan 10

description LAN

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

interface GigabitEthernet0/0.20

vlan 20

description DMZ

nameif dmz

security-level 50

ip add 10.10.20.1 255.255.255.0

Hope this helps

- Jouni

CITIEngineer · ‎03-04-2013

Thanks Jouni,

Would this only need to have on the change on GigabitEthernet0/0 interface will my outside interfaces need to be reconfigured for VLANs as well?

Jouni Forss · ‎03-04-2013

Hi,

Only the physical interface that is changed from normal physical interface into a trunk (a group of sub interfaces like on a Cisco router) will be configured again.

You wont have to change any of the other interfaces configurations.

- Jouni

CITIEngineer · ‎03-04-2013

ThanksJouni I apreciate the help!