10-13-2014 10:13 PM - edited 03-07-2019 09:05 PM
I got a layer3 switch cat2960xr that connected behind the firewall for inside network. Is it possible if I can use part of the switch (few ports) for the dmz zone or I have to purchase separate switch for that? Please see attachment.
Thanks,
Solved! Go to Solution.
03-04-2015 05:23 PM
I noticed your SVI for vlan 2 is incorrect IP address: "192.168.1.0 255.255.255.0" so change it to something different IP address from what you have assinged to ASA's inside interface such as: "192.168.1.2 255.255.255.0". I hope you have something like this on your ASA's inside interface "192.168.1.1 255.255.255.0"
interface vlan2
ip address 192.168.1.2 255.255.255.0
Don't forget to add a default route, pointing to your ASA's inside interface address, on the switch as shown below.
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Last but not least, you don't forget to create dynamic nat for your hosts on your ASA located inside your network.
thanks
10-14-2014 08:38 AM
Hi n14nguyen,
Yes you can, as long as your 2960-switch hosts only later2 vlan for your dmz, and your DMZ interface on ASA is being gateway for DMZ hosts.
thanks
Rizwan Rafeek
10-14-2014 11:29 AM
So you mean create a vlan for dmz. How am I ensure the separate between of inside vlan and dmz vlan in the same switch?
10-14-2014 12:07 PM
Hi n14nguyen,
Lets assume that your dmz interface on your ASA is "192.168.11.1 255.255.255.0" and is connected to FastEthernet24 on your 2960-switch and similarly your inside address of your ASA is "10.10.10.1 255.255.255.0" and is connected to FastEthernet1 on your 2960-switch.
Now on your 2960-switch you create a SVI interface for your inside network of your ASA and layer2 definition as vlan 10 and for DMZ you only create a layer2 definition only as vlan 11.
- - - - - - - - - - - - - - - - - - - - - - - - -
interface vlan10
10.10.10.2 255.255.255.0
no shut
vlan 10
name asa-inside
vlan 11
name asa-dmz
interface FastEthernet1
switchport access vlan 10
switchport mode access
interface FastEthernet24
switchport access vlan 11
switchport mode access
- - - - - - - - - - - - - - - - - - - - - - - - -
Note that I do not have a SVI created for vlan 11.
I hope this make sense.
Thanks
Rizwan Rafeek.
10-14-2014 01:21 PM
thanks guys, I will try
03-04-2015 05:23 PM
I noticed your SVI for vlan 2 is incorrect IP address: "192.168.1.0 255.255.255.0" so change it to something different IP address from what you have assinged to ASA's inside interface such as: "192.168.1.2 255.255.255.0". I hope you have something like this on your ASA's inside interface "192.168.1.1 255.255.255.0"
interface vlan2
ip address 192.168.1.2 255.255.255.0
Don't forget to add a default route, pointing to your ASA's inside interface address, on the switch as shown below.
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Last but not least, you don't forget to create dynamic nat for your hosts on your ASA located inside your network.
thanks
03-05-2015 08:42 AM
yes, correct IP adddress and addded ip route for inside network address resolve the problem. Thanks
03-04-2015 08:02 AM
10-14-2014 12:09 PM
If you had the following it would work:
Switch:
VLAN 1 - inside
VLAN 2 - dmz
switchport 1 (inside) - access mode vlan 1
switchport 2 (dmz) - access mode vlan 2
Firewall:
port 1 (inside) - (ip address + plugged into switchport 1)
port 2 (dmz) - (ip address + plugged into switchport 2)
Then configure any switchport as vlan 2 if you want the attached device to be on the dmz network or vlan 1 if you want them to be on the inside network. You could use the firewall for DHCP for that vlan 2 dmz subnet and set the default gateway to the IP address of the firewall's port 2.
This will create LAN separation between the two networks. You will literally have two networks using the same switch...a.k.a. Virtual Local Area Network (VLANs).
Like Rizwan mentioned, this works in a layer 2 switch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide