Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DMZ/VLAN Questions...3845, 3750, and ASA5510

Status
Not open for further replies.
primeaum

primeaum

Technical User
Aug 31, 2009
45
US
Good morning,
I have a project I'm working on. I need to create a DMZ on my ASA5510. No big deal, done. Okay, now I need to be able to route this over a certain VLAN. This is what I don't understand exactly on how to do it.
The ASA is connected to the 3750, which is connected to a 3845. I need another 3750 that is connected via fiber to be able to have the DMZ Vlan on it.

I know this isn't that hard but for some reason I'm really confused.
any help or direction would be greatly appreciated.
thanks.
mark
 
Sort by date Sort by votes
Echo what viperegg said. Configure a VLAN with no ip address on the 3750 and connect the DMZ port on the ASA directly into the 3750.
 
Upvote 0 Downvote
because they are in different buildings connected via fiber...
So I don't need to go through the router? I am able to plug into a port on that vlan I have configure for the DMZ, pull a DHCP address from the pool on the ASA, but I don't have any routing info in there yet...this I guess is where I'm confused.
thanks
mark
 
Upvote 0 Downvote
yeah, it has routing capabilities...do i just put the asa's ip as the default gateway on the client?
 
Upvote 0 Downvote
well, I guess I already had that...I'm not sure where I'm hung up. I can ping back to the router and ASA from a client with an IP on the DMZ subnet but can't get out. hmm...I know this is an easy fix but I'm just not catching it.
thanks again guys
 
Upvote 0 Downvote
I would configure a separate DMZ network off your ASA. IE pick another interface and configure it with an IP address. It should be separate from your current default GW on you ASA. Then you can do your NAT/Static/etc config from there.

What are you trying to do with this DMZ?


 
Upvote 0 Downvote
Duh, I figured it out...external NAT wasn't done on that interface. I knew it was something simple. Anyone know of any best practices for locking down the DMZ?
 
Upvote 0 Downvote
I guess it wouldn't technically be called a DMZ, but it will be a subnet that doesn't have access to our internal network so when vendors and visitors come into our buildings they can plug in to the unfiltered internet.
 
Upvote 0 Downvote
Yeah man, block all traffic to your internal subnets and allow it out from the DMZ to the internet. You can allow traffic from you local LAN to the DMZ if you want, just block everything coming from the DMZ to your local LAN.

 
Upvote 0 Downvote
can you post a config and a topology? it shouldn't be too hard to set up

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
278
Lccarter
Lccarter
cheikhdtn
  • Locked
  • Question
VLAN
Replies
3
Views
152
iggsterman
iggsterman
atascoman
  • Locked
  • Question
3750 to 3850 QoS commands
Replies
1
Views
227
ADB100
ADB100
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
148
acabezas2014
acabezas2014
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
144
mikey789
mikey789

Part and Inventory Search

Sponsor

Back
Top