Setting Up a DMZ and Internal Network with ASA 5505 and Single Switch

cisco-asahp-procurveNetworkvlan

This is an attempt to clarify my original post which was too long.

My task is to add a DMZ to our network.

Currently, the internal network is connected to one ASA interface.

I have been able to set up a single device DMZ where one test laptop is directly connected to a spare ASA interface.

I am trying to expand the experiment to include our existing switch so I can prove that two devices can reside inside the DMZ.

My question is:

Should I be using two interfaces on the ASA and running two cables to the switch?

Or, should I somehow be using only one ASA interface and one cable to the switch?

Or, should I be using two interfaces and two separate switches (one in the DMZ and one in the internal network)?

EXTRA DETAIL ABOUT THE SETUP

The environment is:

  • ASA 5505:
    • 0/0:
      • outside
      • public facing IP
      • vlan2
      • security 0
      • connected to the serviced office building main network
    • 0/1:
      • inside
      • 192.168.47.1
      • vlan1
      • security 100
      • connected to 0/0 on a ProCurve 2510G-48
  • ProCurve 2510G-48:
    • DEFAULT_VLAN (came out of the box)
      • 192.168.47.50
      • 0/0:
        • uplink to the ASA 5505 0/1
      • The rest:
        • various servers
        • another switch to which our desktops are connected

My initial experiment:

  • ASA 5505:

    • 0/0:
      • outside
      • public facing IP
      • vlan2
      • security 0
      • connected to the serviced office buildings main network
    • 0/1:
      • inside
      • 192.168.47.1
      • vlan1
      • security 100
      • connected to 0/0 on the ProCurve 2510G-48
    • 0/2:
      • dmz
      • 192.168.48.1
      • vlan3
      • security 50
      • connected to TestLaptop1 with IP address 192.168.48.2

  • ProCurve 2510G-48:

    • As above

With NAT and access rules I got to the point where I can:

  • access the internet from TestLaptop1
  • access the TestLaptop1 from the internet
  • access one single device in the internal network from TestLaptop1 (to simulate limited internal access)
  • access TestLaptop1 from one single device in the internal network (to simulate management access)

I am now trying to add our existing switch into the mix.

Best Answer

I wouldn't change the DMZ VLAN ID from 3 (5505) to 10 (2510) - depending on which protocols are active (GVRP, MVRP), this may cause problems.

If you tag VLAN3 on 5505 port 0/1 and 2510 port "0/0" (the first port should be "1") you can trunk both VLANs 1 and 3 on the same cable. Then, on the 2510, just config all required DMZ ports with VLAN3 untagged and they should be within the DMZ.

Related Topic