I’m learning ASA and the configurations of how to set things up. I’m trying to set my ASA 5510 to have a DMZ for the purpose of web servers. The problem I’m having is I’m routing or trying to route multiple vlans that aren’t on the ASA but on my switch and being routed to the dmz interface. Here is an idea of my layout I’m not to sure if I have it setup correctly
2810 Router
3560 Switch - vlans 10,20,30
10 Inside, 20 - Private, 30 DMZ
3 x servers 2 are web servers which will need access to the internet and access from outside to the inside
ASA
ISP
The router has a default route pointing to the dmz interface on the ASA.
The ASA has a static route from outside interface to the GW to get out to the internet.
ASA - NAT setup for inside to Outside and DMZ to Outside, dynamic PAT
The outside interface should it be plugged from the modem directly into the ASA or into the switch. I’ve read 2 different ways and not sure what is correct.
I’ve attached a rough network layout diagram representing some of my configurations as well as the questions I’ve asked.
ASA
E0/1
nameif Inside
Security level 100
ip add 10.10.1.2 /27
E0/2
nameif DMZ
security level 50
ip add 10.30.1.2/27
E0/3
nameif Outside
security level 0
ip add 5.5.5.5/29
ip route outside 0.0.0.0 0.0.0.0 5.5.5.6
nat (inside,outside) dynamic pat
nat(dmz,outside) dynamic pat
RTR
Fa0/1.10
ip add 10.10.1.1 255.255.255.224
Fa0/1.20
ip add 10.20.1.1 255.255.255.224
fa0/0.30
ip add 10.30.1.1 255.255.255.224
ip route 10.10.1.0 255.255.255.224 10.30.1.2
ip route 10.20.1.0 255.255.255.224 10.30.1.2
ip route 10.30.1.0 255.255.255.224 10.30.1.2
SW
Fa0/1
switchport mode access
switchport access vlan 10
description SW-ASA-INSIDE10
Fa0/2
switchport mode access
switchport access vlan 20
description Private-VLAN20
Fa0/3
switchport mode access
switchport access vlan 30
description SW-ASA-DMZ30
Fa0/10-11
switchport mode access
switchport access vlan 30
Description WEBSVR-DMZ
Fa0/24
description SW-ASA-ISP (Modem)
These are rough configurations that should give the basic idea of whats going on. Only the inside vlan is routing out the dmz traffic isn’t working to go to the outside.
Inside and Dmz
ACL
allow any any http
allow any any https
allow any any domain!
