Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
1
Replies

Issues with DMZs

macgyver0099_1
Level 1
Level 1

‎01-31-2018 08:24 AM - edited ‎03-08-2019 01:38 PM

Hello,

 

I have two DMZs defined as DMZ and DMZ2 on my ASAx 5545.  They both have interfaces defined as such on the ASAx and similar policies.  We have a DMZ switch with all devices from both DMZs plugged into it.  There are two connections a piece going to each DMZ on the ASAX from the DMZ switch via access ports for vlans assigned to each DMZ.  However, the connections going from the DMZ to the Core switch where all of our users and other equipment are defined are both access ports assigned to DMZ only.  There is a management IP for the switch assigned from the pool of IPs assigned to DMZ2, though, and no layer 3 IP assigned for the DMZ vlan.  Lastly, there are no layer 3 addresses assigned for either vlan on either the Core or DMZ SWITCH, except for the management IP on the DMZ switch for DMZ2.  The pool of IPs for both DMZs exist otherwise only on the ASAx.

 

In addition to the connections the Core has to the DMZ switch, it also has connections to the ASAx to the inside, outside and management interfaces.  It does not have a connection to either the DMZ or DMZ2 interfaces except through the DMZ switch.

 

The problem I have begins with not being able to ping devices for DMZ2 from the Core switch and access switches connected to the Core.  I can ping these devices from the ASAx and the DMZ switch, however, and I can ping all devices for the DMZ from anywhere. 

 

My questions, therefore, are twofold.  First, why can I not ping all devices from all switches; and second, what are my options for setting this up so that I can disconnect my Core from the DMZ switch and still be able to ping all devices from everywhere?

Labels:
0 Helpful
1 Reply 1

sludge3000
Level 1
Level 1

‎01-31-2018 09:13 AM

Hi macgyver009_1,

Regarding PING, that's probably being dropped by the ASA. Check your firewall logs to confirm.

Regarding you DMZ and core connectivity, I would not recommend allowing direct access between the two. The whole point of a DMZ is to create publicly accessible systems logically separated from internal systems.
Any traffic between these two should be Core > DMZ connections only and should run through your ASA.
If you need management connectivity between the devices, use a separate management VLAN, but again, I would recommend a separate management VLAN for DMZ devices and internal devices.

Luke

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card