Setup ASA with DMZ for web servers

I’m learning ASA and the configurations of how to set things up. I’m trying to set my ASA 5510 to have a DMZ for the purpose of web servers. The problem I’m having is I’m routing or trying to route multiple vlans that aren’t on the ASA but on my switch and being routed to the dmz interface. Here is an idea of my layout I’m not to sure if I have it setup correctly

2810 Router
3560 Switch - vlans 10,20,30
10 Inside, 20 - Private, 30 DMZ
3 x servers 2 are web servers which will need access to the internet and access from outside to the inside

The router has a default route pointing to the dmz interface on the ASA.
The ASA has a static route from outside interface to the GW to get out to the internet.
ASA - NAT setup for inside to Outside and DMZ to Outside, dynamic PAT

The outside interface should it be plugged from the modem directly into the ASA or into the switch. I’ve read 2 different ways and not sure what is correct.

I’ve attached a rough network layout diagram representing some of my configurations as well as the questions I’ve asked.

nameif Inside
Security level 100
ip add /27

nameif DMZ
security level 50
ip add

nameif Outside
security level 0
ip add

ip route outside
nat (inside,outside) dynamic pat
nat(dmz,outside) dynamic pat

ip add

ip add

ip add

ip route
ip route
ip route

switchport mode access
switchport access vlan 10
description SW-ASA-INSIDE10

switchport mode access
switchport access vlan 20
description Private-VLAN20

switchport mode access
switchport access vlan 30
description SW-ASA-DMZ30

switchport mode access
switchport access vlan 30
Description WEBSVR-DMZ

description SW-ASA-ISP (Modem)

These are rough configurations that should give the basic idea of whats going on. Only the inside vlan is routing out the dmz traffic isn’t working to go to the outside.

Inside and Dmz 
allow any any http
allow any any https
allow any any domain!


2 posts were merged into an existing topic: Cisco ASA VLANs and Sub-Interfaces