cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
729
Views
0
Helpful
7
Replies

Help with new DMZ Setup

loftadmin
Level 1
Level 1

ASA 5520 with three interfaces - inside, outside, and now newly created DMZ - all physical interfaces on the FW

Inside interface is connected directly to layer 2 switch with port on switch set as access port for a specific VLAN 601

This layer 2 switch has a trunking port set up over to a layer 3 6509 switch where all the vlans are defined and the SVI are configured and inter vvlan routing is working between about 7 or 8 internal VLANS

                  

I've created the new DMZ physical interface and brough it up with an IP and subnet

I've cabled this port over to the layer 2 switch where the new DMZ vlan has been created and I set the switchport to that vlan as an access port

I know the new DMZ vlan is being allowed over the trunk to the layer 3 6509 switch

I have created the VLAN on the 6509 switch as well (We don't use VTP)

Set a switchport on the 6509 as an access port and attached a PC with IP settings including setting the GW to 172.16.15.1 which is the DMZ int IP

What would be some ideas for finsihing the config so the routing works as intended and security contexts are maintained?

Any help would be approciated!

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Joel

You don't want the DMZ vlan to be allowed on the trunk link to the 6500 only the inside vlan should be allowed on that trunk.

The 6500 does not need the vlan in it's vlan database and you certainly wouldn't want an SVI for it as it would route straight to the DMZ without going via the inside and vice versa which if you are hosting services in the DMZ would be avery bad idea.

All the 6500 needs to be able to do is route to the DMZ and if you already have internet i assume there is a default route on the 6500 pointing to the ASA inside interface so you won't need an additional route.

In terms of finishing it off it all depends what you are putting in the DMZ, who needs access to it and what access the DMZ devices need so it's a bit difficult to say without knowing further details.

Edit - Couple of other points -

1) if the only reason for a trunk between the 6500 and 2960 is for the inside and DMZ vlans then you do not need a trunk it could just be an access port in the vlan used for the 6500 to ASA inside interface. However you may need another vlan if you use a separate management vlan for your switches.

2)  i'm assuming you have enough ports on the 2960 switch for all the DMZ devices. If you don't then yes you could run the vlan back to the 6500 although you wouldn't configure an SVI but this would not be ideal ie. for a device inside to get to a DMZ device  it would go -

PC -> 6500 -> trunk link -> 2960 ->  inside ASA -> dmz -> 2960 ->  trunk link -> 6500 -> dmz device

Jon

So important point:

Firewall is actually at a remote site with the layer 2 2960 switch and relocating DMZ server canidates to that location from the data center where the 6509 is located isn't an option.

There is a default route on the 6509 that point to the IP of the internal int on the FW. I need to be able to connect potential/future DMZ hosts to the 6509.

1. Trunking management vlan as well  from the 6509 over to the 2960 at remote site.

2. Again 2960 is remote so relocting candidates for DMZ not feasible.

I did not create the SVI for the DMZ on the 6509 as you mentioned; just the vlan itself. Thinking I need a static route now defined on the 6509 to the int of the DMZ on FW and a route on the FW back?

Is that correct based on the new information I presented? Thanks much!

Joel

Okay, i can understand why you need to do that now.

Thinking I need a static route now defined on the 6509 to the int of the DMZ on FW and a route on the FW back?

The route for the DMZ subnet would point to the inside interface of the ASA not the DMZ interface. It has to because you do not have an SVI for the DMZ subnet on the 6500 (and you shouldn't) so it can't route direct to the DMZ. I'm assuming you wouldn't want this anyway ie. routing directly both ways between the 6500 and the DMZ without going via the firewall.

Whether or not you actually need a route on the 6500 depends on your current routes. If you had a default route pointing to the inside interface of the ASA anyway for internet then that would also take care of the new DMZ subnet. If you don't then yes you would probably need a route as described above.

In terms of a return route again it depends. If the ASA is already being used for internet again routes should already be in place on the ASA for all the internal subnets. If not then yes the ASA would need to have routes for the internal subnets so that communcation would work between the internal subnets and the DMZ subnet.

Jon

I understand what you are saying here but my question is:

What gateway address am I point my new DMZ hosts to? The IP associated with the internal interface on the FW?

For the DMZ hosts the default gateway would be the DMZ interface IP on the ASA.

Jon

VLAN needs to be created and defined on FW then? Usually this is done on our Catalyst 6509 which is why I'm a little confused. Only thing that has been done on FW is INT created/configured and enabled.

Right now host is configured with IP address in vlan, GW & subnet properly defined, vlan created on both switches, and vlan being trunked between switches. Cannot ping DMZ INT from host connected to the 6509.

So you have the L2 vlan on both the 6500 and the 2960 ie. in the vlan database and that vlan is allowed on both trunk links. You don't have a L3 SVI on the 6500 for this vlan.

The ASA DMZ interface has a cable connecting it to 2960 and that switchport is allocated to the DMZ vlan.

If that is what you have done then you should be able to ping the DMZ interface from a device in that vlan but you won't be able to ping it from a device not actually allocated into that vlan.

Jon

Review Cisco Networking for a $25 gift card