Options
DMZ across subnets
benbuiltpc
Member Posts: 80 ■■□□□□□□□□
in CCNP
I'm wondering if it's possible or desirable to "extend" a DMZ port on the ASA 5510 we have at work. The Web server is on a different network than the ASA's DMZ. I was thinking of doing VLANs on both sides then routing with Layer3 Catalysts.
For simplicity's sake, we have 2 sites as shown:
ASA -- L3SW1 -- R1 -- WAN -- R2 -- L3SW2 -- HTTP SERVER
I haven't plugged anything in yet but my new VLAN interface is not coming up on one of the L3 switches. Example:
L3SW1: VLAN 20 Interface Up / Line Protocol Down
L3SW2: VLAN 20 Interface Up / Line Protocol Up
Why would one work and not the other? The switches are exactly the same (model, IOS version, etc). Of course the VLAN IPs are in different subnets. Yes, I've done "no shut" and pretty much every other trick I can think of.
Is this more secure than just forwarding the port and not using the DMZ? Or will I run into problems down the road, assuming I get this configuration to work?
Thanks!
For simplicity's sake, we have 2 sites as shown:
ASA -- L3SW1 -- R1 -- WAN -- R2 -- L3SW2 -- HTTP SERVER
I haven't plugged anything in yet but my new VLAN interface is not coming up on one of the L3 switches. Example:
L3SW1: VLAN 20 Interface Up / Line Protocol Down
L3SW2: VLAN 20 Interface Up / Line Protocol Up
Why would one work and not the other? The switches are exactly the same (model, IOS version, etc). Of course the VLAN IPs are in different subnets. Yes, I've done "no shut" and pretty much every other trick I can think of.
Is this more secure than just forwarding the port and not using the DMZ? Or will I run into problems down the road, assuming I get this configuration to work?
Thanks!
Comments
-
Options
shednik
Member Posts: 2,005
Are you trying to use two separate subnets for a reason or just because they are at 2 separate sites? Oone thing I could see being done and not sure how feasible it would be with your setup, but to setup a dot1q tunnel between both L3SWs. We do something similar at work where we have 2 data centers connected via fiber which we use as a L2 extension. I would need to lab something like that out but again I don't even know if what I'm thinking up would be what you're looking for. -
Optionsbenbuiltpc
Member Posts: 80 ■■□□□□□□□□
Yes, the sites are different subnets separated by physical routers. I don't know much about dot1q tunnelling but I have a feeling it won't traverse subnets much the same way VLANs are terminated by routers.
-
Options
bighornsheep
Member Posts: 1,506
benbuiltpc wrote: »I haven't plugged anything in yet but my new VLAN interface is not coming up on one of the L3 switches. Example:
L3SW1: VLAN 20 Interface Up / Line Protocol Down
L3SW2: VLAN 20 Interface Up / Line Protocol Up
Why would one work and not the other? The switches are exactly the same (model, IOS version, etc). Of course the VLAN IPs are in different subnets. Yes, I've done "no shut" and pretty much every other trick I can think of.
The SVI will only come up if there's an active(up/up) port belonging to the vlan (or the vlan is active on a trunk).
Any idea what kind of WAN connection you have between R1 & R2?
I would probably consider establishing a site-to-site VPN and routing via GRE tunneling. The ASA can then protect the HTTP as simply another subnet.Jack of all trades, master of none