DMZ across subnets

benbuiltpc

I'm wondering if it's possible or desirable to "extend" a DMZ port on the ASA 5510 we have at work. The Web server is on a different network than the ASA's DMZ. I was thinking of doing VLANs on both sides then routing with Layer3 Catalysts.

For simplicity's sake, we have 2 sites as shown:

ASA -- L3SW1 -- R1 -- WAN -- R2 -- L3SW2 -- HTTP SERVER

I haven't plugged anything in yet but my new VLAN interface is not coming up on one of the L3 switches. Example:

L3SW1: VLAN 20 Interface Up / Line Protocol Down
L3SW2: VLAN 20 Interface Up / Line Protocol Up

Why would one work and not the other? The switches are exactly the same (model, IOS version, etc). Of course the VLAN IPs are in different subnets. Yes, I've done "no shut" and pretty much every other trick I can think of.

Is this more secure than just forwarding the port and not using the DMZ? Or will I run into problems down the road, assuming I get this configuration to work?

Thanks!

shednik

Are you trying to use two separate subnets for a reason or just because they are at 2 separate sites? Oone thing I could see being done and not sure how feasible it would be with your setup, but to setup a dot1q tunnel between both L3SWs. We do something similar at work where we have 2 data centers connected via fiber which we use as a L2 extension. I would need to lab something like that out but again I don't even know if what I'm thinking up would be what you're looking for.