Solved: switch in dmz

suthomas1 · ‎07-11-2013

Hi,

I want to connect a 3750 switch as dmz to an ASA firewall. I am not very certain how i would achieve this.

We would have a VLAN 10 on the ASA as gateway for servers.

How do i attach the 3750 to the firewall & configure the switch such that it is able to communicate with the firewall & rest of the network.

Will the switch port be an access vlan ?

Appreciate all help

Seb Rupik · ‎07-12-2013

Argh, there is a typo in my first post! For trunking it should be:

interface Ethernet0/0

switchport mode trunk

switchport trunk allowed vlan 10

no shutdown

OK, so with a 5585 we will use trunking. You don't need to setup a VLAN interface on the 3750x, so the config suggested above is still correct for the 3750. Delete your SVI:

no int vlan 2

...from the 3750. Just specify a L2 VLAN:

vlan 10

name apps

If you are connecting gi0/2 on the ASA to gi1/0/48 on the 3750, the ASA configuration should be:

interface gi0/2.10

vlan 10

nameif apps

security-level 50

ip address 10.58.21.1 255.255.255.0

no shutdown

!

...your severs should now be able to ping your ASA VLAN 10 SVI, and providing there are no existing firewall rules present, and access any VLAN with a lower security-level than 50.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎07-12-2013

Hi there,

How you connect the switch depends on the model of ASA and your licensing. If it is a 5505 with BASE license then you cannot set up trunking. With the security-plus license or any other model of ASA you can do trunking.

With a trunking setup you would use the following config:

*** ASA:

!

interface Ethernet0/0

switchport mode access

switchport trunk allowed vlan 10

no shutdown

!

interface vlan 10

nameif dmz

security-level 50

ip address x.x.x.x x.x.x.x

no shutdown

!

*** 3750x:

!

vlan 10

name dmz

!

interface gi1/0/48

switchport mode trunk

swithport trunk allowed vlan 10

!

Then for every port on the 3750 which will be connected to a server in the DMZ:

!

interface gi1/0/1

switchport mode access

switchport access vlan 10

no shutdown

!

If you have a 5505 with base license the use the following config. I have guessed at your other two VLAN configs:

*** ASA

!

interface Ethernet0/0

switchport access vlan 10

no shutdown

!

interface vlan 5

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

no shutdown

!

interface vlan 10

no forward interface vlan 15

nameif dmz

security-level 50

ip address x.x.x.x x.x.x.x

no shutdown

!

interface vlan 15

nameif inside

no forward interface

security-level 100

ip address x.x.x.x x.x.x.x

no shutdown

!

It is also worth remembering that if you are using a ASA 5505 you have to specify the 'no forward interface vlan ' on one of your VLAN interfaces. In the case above, your servers will not be able to initiate a connection to the inside VLAN, but hosts on the inside and outside (firewall rules permitting) will be able to access the DMZ. This is one fo the shortcommings of the 5505.

Each device connected on the 3750 in VLAN 10 would then their gateway address set to whatever IPv4 address you specified on the ASA VLAN 10 interface.

Let me know if any of the above needs further clarification.

cheers,

Seb.

suthomas1 · ‎07-12-2013

Thanks Seb.

We'r using a 5585x. i tried the above with trunking configuration but it doesn't work.

The switchport command is not accepted on 5585x.

I tried to put together below configuration upon my understanding. will this work?

on 3750:-

int vlan 2

des DMZ

ip addr

==============================

on ASA 5585x:-

interface GigabitEthernet0/2

nameif apps

security-level 50

ip address 10.58.21.1 255.255.255.0

The switch needs to house servers and these servers gateway will be 10.58.21.1( defined on the ASA).

Please do suggest if there is a better/proper way to do this.

appreciate your inputs

Seb Rupik · ‎07-12-2013

Argh, there is a typo in my first post! For trunking it should be:

interface Ethernet0/0

switchport mode trunk

switchport trunk allowed vlan 10

no shutdown

OK, so with a 5585 we will use trunking. You don't need to setup a VLAN interface on the 3750x, so the config suggested above is still correct for the 3750. Delete your SVI:

no int vlan 2

...from the 3750. Just specify a L2 VLAN:

vlan 10

name apps

If you are connecting gi0/2 on the ASA to gi1/0/48 on the 3750, the ASA configuration should be:

interface gi0/2.10

vlan 10

nameif apps

security-level 50

ip address 10.58.21.1 255.255.255.0

no shutdown

!

...your severs should now be able to ping your ASA VLAN 10 SVI, and providing there are no existing firewall rules present, and access any VLAN with a lower security-level than 50.

cheers,

Seb.

Pushpendra Yadav · ‎07-12-2013

Hey Guys,

I have same type of issue please help.

I have 1 DMZ Switch(2 VLANs, VLAN 300 -- DMZ_OUTSIDE, VLAN 700, DMZ_INSIDE)

my ISP connection is terminating to DMZ Switch VLAN 300, from there We are sharing Internet to IDS, DMZ Firewall(Clustered), VPN Firewall(Clustered).

then VLAN 700 is INSIDE interface VLAN for DMZ Firewalls, so inside interfaces are connecting to DMZ Switch in VLAN 700,

Now I assign another port in VLAN 700 and check internet on my laptop after connecting to that interface in VLAN 700 ,it works fine for me.

I have Core Switch 6506 in my network, I configured Switch and now If I try to ping DMZ Firewall IP, It fails.

I have created some different VLANs which should be able to access internet, Please help.

Firewall Inside IP : 10.23.5.10

Core Switch IP : 10.23.5.1 (VLAN 5)

Core Switch can't ping Firewall Inside IP.

Also, I want all my VLANs in Core Switch to get internet.

(DMZ Switch VLAN 300 is L3 VLAN and got Public IP whereas VLAN 700 is L2 VLAN)

(VTP Mode is server for DMZ Switch and Core Switch with same domain name and password, not sure if I need to remove this or keep this)

Pushpendra Yadav · ‎07-13-2013

No worries,

Issue is resolved.

Thanks