cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4131
Views
4
Helpful
5
Replies

switch in dmz

suthomas1
Level 6
Level 6

Hi,

I want to connect a 3750 switch as dmz to an ASA firewall. I am not very certain how i would achieve this.

We would have a VLAN 10 on the ASA as gateway for servers.

How do i attach the 3750 to the firewall & configure the switch such that it is able to communicate with the firewall & rest of the network.

Will the switch port be an access vlan ?

Appreciate all help

1 Accepted Solution

Accepted Solutions

Argh, there is a typo in my first post! For trunking it should be:

interface Ethernet0/0

switchport mode trunk

switchport trunk allowed vlan 10

no shutdown

OK, so with a 5585 we will use trunking. You don't need to setup a VLAN interface on the 3750x, so the config suggested above is still correct for the 3750. Delete your SVI:

no int vlan 2

...from the 3750. Just specify a L2 VLAN:

vlan 10

  name apps

If you are connecting gi0/2 on the ASA to gi1/0/48 on the 3750, the ASA configuration should be:

interface gi0/2.10

  vlan 10

  nameif apps

  security-level 50

  ip address 10.58.21.1 255.255.255.0

  no shutdown

!

...your severs should now be able to ping your ASA VLAN 10 SVI, and providing there are no existing firewall rules present, and access any VLAN with a lower security-level than 50.

cheers,

Seb.

View solution in original post

5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

How you connect the switch depends on the model of ASA and your licensing. If it is a 5505 with BASE license then you cannot set up trunking. With the security-plus license or any other model of ASA you can do trunking.

With a trunking setup you would use the following config:

*** ASA:

!

interface Ethernet0/0

switchport mode access

switchport trunk allowed vlan 10

no shutdown

!

interface vlan 10

  nameif dmz

  security-level 50

  ip address x.x.x.x x.x.x.x

  no shutdown

!

*** 3750x:

!

vlan 10

  name dmz

!

interface gi1/0/48

  switchport mode trunk

  swithport trunk allowed vlan 10

!

Then for every port on the 3750 which will be connected to a server in the DMZ:

!

interface gi1/0/1

  switchport mode access

  switchport access vlan 10

  no shutdown

!

If you have a 5505 with base license the use the following config. I have guessed at your other two VLAN configs:

*** ASA

!

interface Ethernet0/0

switchport access vlan 10

no shutdown

!

interface vlan 5

  nameif outside

  security-level 0

  ip address x.x.x.x x.x.x.x

  no shutdown

!

interface vlan 10

  no forward interface vlan 15

  nameif dmz

  security-level 50

  ip address x.x.x.x x.x.x.x

  no shutdown

!

interface vlan 15

  nameif inside

  no forward interface

  security-level 100

  ip address x.x.x.x x.x.x.x

  no shutdown

!

It is also worth remembering that if you are using a ASA 5505 you have to specify the 'no forward interface vlan ' on one of your VLAN interfaces. In the case above, your servers will not be able to initiate a connection to the inside VLAN, but hosts on the inside and outside (firewall rules permitting) will be able to access the DMZ. This is one fo the shortcommings of the 5505.

Each device connected on the 3750 in VLAN 10 would then their gateway address set to whatever IPv4 address you specified on the ASA VLAN 10 interface.

Let me know if any of the above needs further clarification.

cheers,

Seb.

Thanks Seb.

We'r using a 5585x. i tried the above with trunking configuration but it doesn't work.

The switchport command is not accepted on 5585x.

I tried to put together below configuration upon my understanding. will this work?

on 3750:-

int vlan 2

des DMZ

ip addr

==============================

on ASA 5585x:-

interface GigabitEthernet0/2

nameif apps

security-level 50

ip address 10.58.21.1 255.255.255.0

The switch needs to house servers and these servers gateway will be 10.58.21.1( defined on the ASA).

Please do suggest if there is a better/proper way to do this.

appreciate your inputs

Argh, there is a typo in my first post! For trunking it should be:

interface Ethernet0/0

switchport mode trunk

switchport trunk allowed vlan 10

no shutdown

OK, so with a 5585 we will use trunking. You don't need to setup a VLAN interface on the 3750x, so the config suggested above is still correct for the 3750. Delete your SVI:

no int vlan 2

...from the 3750. Just specify a L2 VLAN:

vlan 10

  name apps

If you are connecting gi0/2 on the ASA to gi1/0/48 on the 3750, the ASA configuration should be:

interface gi0/2.10

  vlan 10

  nameif apps

  security-level 50

  ip address 10.58.21.1 255.255.255.0

  no shutdown

!

...your severs should now be able to ping your ASA VLAN 10 SVI, and providing there are no existing firewall rules present, and access any VLAN with a lower security-level than 50.

cheers,

Seb.

Hey Guys,

I have same type of issue please help.

I have 1 DMZ Switch(2 VLANs, VLAN 300 -- DMZ_OUTSIDE, VLAN 700, DMZ_INSIDE)

my  ISP connection is terminating to DMZ Switch VLAN 300, from there We are  sharing Internet to IDS, DMZ Firewall(Clustered), VPN  Firewall(Clustered).

then VLAN 700 is INSIDE interface VLAN for DMZ Firewalls, so inside interfaces are connecting to DMZ Switch in VLAN 700,

Now  I assign another port in VLAN 700 and check internet on my laptop after  connecting to that interface in VLAN 700 ,it works fine for me.

I have Core Switch 6506 in my network, I configured Switch and now If I try to ping DMZ Firewall IP, It fails.

I have created some different VLANs which should be able to access internet, Please help.

Firewall Inside IP : 10.23.5.10

Core Switch IP : 10.23.5.1 (VLAN 5)

Core Switch can't ping Firewall Inside IP.

Also, I want all my VLANs in Core Switch to get internet.

(DMZ Switch VLAN 300 is L3 VLAN and got Public IP whereas VLAN 700 is L2 VLAN)

(VTP   Mode is server for DMZ Switch and Core Switch with same domain name  and  password, not sure if I need to remove this or keep this)

No worries,

Issue is resolved.

Thanks

Review Cisco Networking for a $25 gift card