Cisco ASA/3750 Multiple VLAN setup

Posted on 2006-06-03
Medium Priority
Last Modified: 2012-08-13
Ok, here is my situation.  I am getting ready to purchase (2) Cisco 3750-24TS-S switches and use the stackwise cable for interconnect.  These switches will be used as my vlan/routing switches.  I want to have the following vlans configured on the switch:

1 - Outside Vlan (VLAN for outside public access)
2 - DMZ Vlan (For servers that are public facing EX:Public DNS Servers, Video Camera Servers, Vendor Inventory Servers)
3 - Server Vlan (For internal servers for the company)
4 - IT VLan
5 - Call Center Vlan
6 - Accouting Vlan
7 - Production Vlan
8 - Warehouse Vlan
9 - Catalog Vlan

We have two T1's that come in and are bonded into a single MLPPP Channel giving us 3Mbps bandwidth.  We use the Cisco 2821 Router for the DSU/CSU termination point for the T1's.  The Ethernet interface off of the Router will plug into the Outside Vlan and have an IP address of 206.132.X.X /27.  The next device to plug into the Outside VLan is the Cisco ASA 5510.  It also has an public facing IP address in the 206.132.X.X /27 range.  The next Ethernet Interface on the ASA will plug into the DMZ Vlan and have an IP address of 172.16.X.1 /24.  The DNS Servers etc., will also plug into that same vlan and use 172.16.X.1 /24 on the ASA interface as their default gateway.  I then take the third ASA interface and plug it into the Server Vlan with the third Ethernet Interface IP address as 10.1.X.1 /24.  I then plug our internal company servers as well into that Server Vlan.  Here is when I get a little confused.  I want another firewall interface barrier to sit in between the internal servers and the rest of the companies vlans.  The only thing is, is that IT & Production need access to the file servers on the Server Vlan without going through the ASA.  The rest of company however I want to have them go through another ASA interface to get to the Servers on the Server Vlan.  This would create some internal security as well since I now have a firewall between the inside company and the inside internal servers.  Does this sound like a smart thing to do?  And more specifically how would I go about accomplishing this setup.    
Question by:icarus2256
  • 5
  • 5
LVL 79

Expert Comment

ID: 16823306
Couple of comments.
1. Not the best idea to have the outside vlan on the same physical switch. Suggest just using a crossover cable between the 2821 router and the ASA outside interface, else use a dedicated 10/100 switch. Reason is potential bleed over between vlans and the security of the entire system.
2. Not the best idea to separate the servers from the users. In the best scenario the servers are in the same vlan as the majority of its users. Reason is efficiency. Too many ports/protocols to open up through the firewall for user authentication, browsing, AD functions, etc. Since you have a full L3 capable switch with high-speed backplane you can put the servers on a different vlan than the users and route between them. Use the security inherent in the Microsoft products.

What parts of the config do you need help with?
Once you stack the two swiches, they appear as one. Use the latest Cisco Network Assistant software to set them up. Create named VLANs, assign ports to the vlans. Create Layer 3 vlan interfaces for the routed vlans. I.e.
[define vlans]
switch#vlan data
switch(vlan)#vlan 2 name DMZ
switch(vlan)#vlan 3 name Servers
switch(vlan)#vlan 4 name IT
switch(vlan)#vlan 5 name CallCenter
switch#config t
[create layer 3 interfaces]
switch(config)#interface vlan 3
switch(config-if)#description Server LAN
switch(config-if)#ip address
switch(config-if)#interface vlan 4
switch(config-if)#description IT VLAN
switch(config-if)#ip address
<etc>  NOTE: No layer 3 interface created for DMZ - the ASA will provice all L3 services
[assign ports to the vlans]
switch(config)#interface range gig 1/0/1 - 14
switch(config-if)#switchport accesss vlan 2
switch(config-if)#interface range gig1/0/15 - 22
switch(config-if)#switchport access vlan 3
switch(config-if)#interface gig1/0/23
switch(config-if)#switchport access vlan 2
switch(config-if)#descript ASA DMZ Interface
switch(config-if)#interface gig1/0/24
switch(config-if)#switchport access vlan 1
switch(config-if)#descript ASA inside Interface

[set default route to ASA]
ip route


Author Comment

ID: 16823337
So should I have the third interface of the ASA plug into the Server Vlan the have the servers point to it for their gateway?  Should I then also have all other vlans route to the ASA interface in the Server Vlan to get outside?
LVL 79

Expert Comment

ID: 16823358
Not exactly.
Outside interface - separate switch
DMZ interface - switchport gig1/0/23 given the above config
Inside interface - switchport gig1/0/24

I forgot one piece of the config:
 interface vlan 1
   ip address (ASA inside IP =

ASA inside interface is in a VLAN all by itself - vlan 1 (default)

With the exception of the DMZ servers, *all* systems will point to the 3750's VLAN X IP address for their respective vlans. The 3750 will provide all layer 3 routing internally and only the 3750 will have a route out through the ASA via vlan1

If you really, really want the servers-client traffic to be policed by the ASA, then you would simply not create a L3 interface on the 3750 for the server vlan and plug a physical interface of the ASA into that vlan, point all systems in that vlan to the ASA interface as the default.

Hope that makes sense. . .
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.


Author Comment

ID: 16823407
Ok, so let me make sure I have this straight.  The outside will be on a seperate switch no problem.  The DMZ Vlan reside on the 3750 and have a specified number of access switchports for the DMZ servers.  The ASA will have it's second interface be part of that DMZ Vlan and have an IP address of /24 & a ASA Security of 50.  All DMZ Vlan servers will point to gateway /24.  The third ASA interface will be connected to the it's own Vlan.  Why do I need to assign an IP of to vlan 1?  I am guessing that is for management purposes so I can manage the switch.  Also I thought it was good practice to never use Vlan 1 for management since all switches by default use this as their management Vlan and hence can be a security issue.  The rest looks good.  I will assign an IP address to each vlan internally then have all traffic route to the inside interface of the ASA.

Author Comment

ID: 16823418
Irmoore I want this configuration/setup to be a secure as possible, but realistic for business purposes.  Does the above configuration look good for a business of 300-500 employees in your honest opinion?
LVL 79

Expert Comment

ID: 16823441
As a matter of fact, this is almost identical to a setup that I have installed for a government client where security is paramount.

>Why do I need to assign an IP of to vlan 1?
I just used this as example. It could just as well be vlan 10. It was not for management, but to simply put the ASA Inside interface into a dedicated layer 3 vlan on the switch to reduce the amount of broadcast packets the ASA would have to process/discard. You can designate your IT VLAN interface as the "management" interface if you like.

How are you connecting the rest of the users if you only have 2x24 port switches? If the rest of the access switches are also Cisco, you can enable VTP so that all switches can participate in any vlan.

Author Comment

ID: 16823462
They are not all Cisco switches in fact most of them are 3com.  The server Vlan however will have another set of dedicated 3750 switches.  The rest of the company however will be using 3com switches specifically 4400 10/100 switches.  I will be using 802.1q tagging for the trunk connections.  We have fiber running to a bunch of areas of the company so I will use the SFP ports on the 3750's for connectivity to the 4400's.  One more question I do need an IP address assigned to the vlan that the inside interface of the ASA will be connecting to?  Why?  Thanks for all your help.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 16823584
>do need an IP address assigned to the vlan that the inside interface of the ASA will be connecting to?  Why?  
Not if your inside interface is in one of the other vlans.
If you use my example of a separate vlan just for the purpose of isolating the inside interface, then yes you would assign the switch vlan interface an IP address in the same subnet as the ASA interface, which is a different subnet than all the rest of the vlans/subnets. The 3750 handles all the routing.
Why? To segregate the ASA interface into a separate "private" vlan that does not see all the broadcasts from the others. If it's in another vlan, then something has to route the other traffic to it - a vlan interface on the 3750.

Author Comment

ID: 16823701

Thanks for your insight and quick responses.
LVL 79

Expert Comment

ID: 16825111
Glad I could help. Post new Q's if you run into anything sticky..

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question