Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
2
Replies

Options for setting up a DMZ and internal network with an ASA 5505 and a single switch

Jean Milne
Level 1
Level 1

‎05-25-2017 01:50 AM - edited ‎03-08-2019 10:43 AM

Hi,

I'm a software developer in a very small team and I've recently inherited management of our tiny network.

My first task is to add a DMZ to it. I have been trying to figure out how to do this with our single ASA 5505 and ProCurve 2510G-48 switch for several days now and I am very clearly missing something.

We currently have one internal network which consists of a bunch of servers and workstations connected to a ProCurve switch which is connected to one of the ASA interfaces.  Most settings are default.  There is are two vlans on the ASA (outside and inside) and one vlan on the swicth (DEFAULT_VLAN).

The experiment is to :

  • route outside access to our spare public IP address into a test laptop in the DMZ
  • allow access out from the test laptop
  • allow limited access between the DMZ and internal network

Based on the reading around I have done so far, I was able to get a tiny single device DMZ working with the test laptop connected directly to a port on the ASA.  I managed to get it working so that the test laptop could be accessed from the outside via our spare public IP and that limited access was possible between the test laptop and the internal network.

Then I tried to add the switch and it's all gone downhill from there.  At the moment, I can't even ping the DMZ interface from the test laptop when it is connected to the switch.

Right now, I'm not even sure if I've got the cabling right, let alone the vlans etc.

My question is, should I be using:

  1. a second interface on the ASA for the DMZ?  And running two cables to the switch?
  2. a second interface on the ASA and two separate switches (one in the DMZ and one in the internal network)?
  3. only one ASA interface and one cable to the switch?

Any help would be greatly appreciated because I'm at a total loss and currently, all eyes are one me for a solution.

I have created a rudimentary diagram to try and show my experiment so far.  I want to change it so that two test laptops are in the DMZ on ports on the switch.

Labels:
Preview file
34 KB
0 Helpful
2 Replies 2

Julio E. Moisa
VIP Alumni
VIP Alumni

‎05-25-2017 04:40 AM

Hi Jean

Is possible share you ASA configuration?, usually the interface configured for DMZ has security level 50.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Jean Milne
Level 1
Level 1
In response to Julio E. Moisa

‎05-25-2017 05:06 AM

Hi Julio,

Thank you very much for reading my post.  It is hugely appreciated.

I've output the config but there is a lot of noise (to do with a site-to-site VPN, a remote access VPN and our phones).  

I've attempted to remove all the sensitive entries which may make it worse....  Please let me know.

Entries with the text vlan3, DMZ, MainOfficePublicWeb, TestDevice_DMZ, TestDevice_Internal and TestDevice_External are all my new stuff.

I've actually got my scenario working now.  I've carried the vlan3 to the swicth.  I now have ASA interface 0/2 and four ports on the switch all in vlan3.  It's not great because I'm not locking down the types of traffic yet.  Because of this, I've disabled the rule allowing access from the Internet to the DMZ.

It seems to work but I'm just not really convinced I've done it the best way.  I'm still struggling with the fundamentals of the scenario i.e. how should this be cabled up in the first place.  I've inherited this and it's not my forte but I must try my best to ensure that I'm following best practice as far as possible.

Thanks again for your reply.

Kind regards,

Jean

Preview file
13 KB
0 Helpful
Customers Also Viewed These Support Documents