This is an attempt to clarify my original post which was too long.
My task is to add a DMZ to our network.
Currently, the internal network is connected to one ASA interface.
I have been able to set up a single device DMZ where one test laptop is directly connected to a spare ASA interface.
I am trying to expand the experiment to include our existing switch so I can prove that two devices can reside inside the DMZ.
My question is:
Should I be using two interfaces on the ASA and running two cables to the switch?
Or, should I somehow be using only one ASA interface and one cable to the switch?
Or, should I be using two interfaces and two separate switches (one in the DMZ and one in the internal network)?
EXTRA DETAIL ABOUT THE SETUP
The environment is:
- ASA 5505:
- 0/0:
- outside
- public facing IP
- vlan2
- security 0
- connected to the serviced office building main network
- 0/1:
- inside
- 192.168.47.1
- vlan1
- security 100
- connected to 0/0 on a ProCurve 2510G-48
- 0/0:
- ProCurve 2510G-48:
- DEFAULT_VLAN (came out of the box)
- 192.168.47.50
- 0/0:
- uplink to the ASA 5505 0/1
- The rest:
- various servers
- another switch to which our desktops are connected
- DEFAULT_VLAN (came out of the box)
My initial experiment:
-
ASA 5505:
- 0/0:
- outside
- public facing IP
- vlan2
- security 0
- connected to the serviced office buildings main network
- 0/1:
- inside
- 192.168.47.1
- vlan1
- security 100
- connected to 0/0 on the ProCurve 2510G-48
- 0/2:
- dmz
- 192.168.48.1
- vlan3
- security 50
- connected to TestLaptop1 with IP address 192.168.48.2
- 0/0:
-
ProCurve 2510G-48:
- As above
With NAT and access rules I got to the point where I can:
- access the internet from TestLaptop1
- access the TestLaptop1 from the internet
- access one single device in the internal network from TestLaptop1 (to simulate limited internal access)
- access TestLaptop1 from one single device in the internal network (to simulate management access)
I am now trying to add our existing switch into the mix.
Best Answer
I wouldn't change the DMZ VLAN ID from 3 (5505) to 10 (2510) - depending on which protocols are active (GVRP, MVRP), this may cause problems.
If you tag VLAN3 on 5505 port 0/1 and 2510 port "0/0" (the first port should be "1") you can trunk both VLANs 1 and 3 on the same cable. Then, on the 2510, just config all required DMZ ports with VLAN3 untagged and they should be within the DMZ.