cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2342
Views
0
Helpful
7
Replies

Create a DMZ Vlan

jbogdan
Level 1
Level 1

I need to create a DMZ Vlan.  Core switch is a 6509.  FW is an ASA5520.  Need to create a VLAN for DMZ purposes for outside facing servers.  NAT is used on ASA.  All help is appreciated.                

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Okay so you will create the vlan on the Core switch, then connected to one of the ASA interface,

All you need to do on the ASA is to create a NAT rule for that new vlan ( subnet), setup a route on the ASA pointing to that core switch in order to reach the new vlan.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Addressing is the next question.  Internally on the core I set a VLAN called DMZ-LAN of 10.90.x.x 255.255.0.0.  Should I have used an address of one of my class C's instead?  example: 192.160.223.x   255.255.255.0

Hello,

No, that is not a requirement, you can use a different range,

Just add the following on the ASA

Route internal 10.90.x.x 255.255.0.0 core_switch_ip

Then

nat (internal ) 1 10.90.x.x 255.255.0.0

global (outside) 1 interface

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you!  Learning something new every day. 

Hello,

My pleasure to help,

If you do not have any questions, please mark it as answered,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I'm confused by this statement:

global (outside) 1 interface

What interface? 

Hello,

That is used for the internal users to be be able to traverse the internet.

You need a public and routable IP to traverse the internet,

In this case the outside interface it's the public

Regards,

Julio

Remember to rate all of the helpful posts, if you do not know how to do that just let me know, I will teach you ;D

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card