cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
0
Helpful
4
Replies

Cisco ASA 5540 Trunked to 3750G with InterVLAN Routing

Matt Dunleavy
Level 1
Level 1

Hi all,

We have 3 subnets

Outside: 203.0.0.0 (GigabitEthernet0/0)

DMZ: 172.16.1.0 (GigabitEthernet0/1)

Inside 192.168.10.0 (GigabitEthernet0/2)

Currently DMZ and Inside go out to separate Layer 2 switches. Which means all  DMZ to Internal bottlenecks through the ASA.

The ASA NATs outside addresses to DMZ

We have acquired a 3750G switch and would like to enable intervlan routing.

Bascailly we want to stop the traffic bottlenecking through the ASA and Intervlan route via the 3750G switch.

What config would I need to set on the ASA and the Cisco 3750G. There are currently no Vlans so we would need create vlans.

Thank you all for your help in advance.

4 Replies 4

Hello,

good idea to offload the inter-Vlan routing to the 3750G. You need to enable 'ip routing' globally on the 3750, and then create two Vlans, one for the DMZ, one for the inside. A default route should point to the ASA.

The thing I am not sure about is how to set up the NAT. Is it still a requirement, in the new setup, to NAT the outside addresses to DMZ addresses ?

How will the 3750 connect to the ASA? Will you keep it as two physical connections on the ASA and use two access ports on the 3750? Or would you make it into a trunk connection?

You might think about the security implications of routing between vlans on the 3750. One of the basic security premises about the DMZ is that it is isolated from the outside and isolated from the inside and that you control what traffic goes in and out of the DMZ. If you route between DMZ and Inside on the 3750 then you have removed that isolation.

HTH

Rick

HTH

Rick

Hi Richard,

Thank you for taking the time to reply, I replied in another post, and I am sorry if I am not making sense (I am a cisco newbie).

Basically our traffic between the DMZ and Internal is Web (DMZ) and SQL (Internal).

The ASA can't sustain the throughput and is bottle-necking our servers communicating with each other.

The plan was to use ACL rules on the 3750G to keep it secure.

What I am trying to do is figure out the best way to move the traffic flow to keep it on the switches, with out changing too much nat rules as well as still allow access for our VPN (which terminates on the ASA) to get to both subnets.

I understand that the issue may well be that the ASA does not have adequate processing capacity to keep up with the traffic between servers. And I understand that it is an attractive alternative to move the traffic so that communication between DMZ and Inside is handled by the 3750 which certainly has more capacity for forwarding traffic. I just want to make sure that you and your management have considered the security implications of removing the isolation between DMZ and Inside. You can do ACLs on the 3750 but that does not give the same level of security that the ASA would have. I certainly do not know your environment well enough to assess the risk but want to make sure that you do recognize that it does carry some risk.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card