Cisco ASA-5510 and 6500 series switch configuration help

Posted on 2010-01-04
Last Modified: 2012-05-08

I have a doozy of a question on the configuration of a ASA5510 and a 6500 series switch.

ISP has provided me 2 lines into my cabinet. The other one is for high availablity if thier primary network goes down.

The ASA-5510 has a 4 port expansion card giving me 8 interfaces

A Cisco admin reccomened that I set up the interfaces as VLANS on the Firewall

Ethernet0/0  Outside     Public Facing IP address     This is not Vlan'd
Ethernet0/1.10 Inside-VLAN  99    VLAN10
Ethernet0/2.11 DMZ              55   VLAN11
Ethernet0/3.12  DB                60   VLAN12
GigabitEthernet0/0.13 PROC  65   VLAN13
GigabitEthernet0/1.14 DMZ2  70   VLAN14
GigabitEthernet0/2.15 DB       75   VLAN15
GigabitEthernet0/3.16 PROC   80   VLAN16

Servers assigned a DMZ IP address will have access to the internet

The 6500 series switch has 3 x 48 port cards installed

3 ports have been configured as a Spanning port with the outside interface of the ASA5510 and the 2 ISP cables connected into it.

The other cables are connectd into the 6500 switch.

I am wondering is this the correct setup? When I assign my servers a particualr IP address do I need to configure a port on the 6500 switch for a particular VLAN? I know this is not a plug and play situation. ;)

right now I am using my ISP's DNS server for name resolution.
This may be a looonnng thread! Thanks in advance.
Question by:NetNinja
    LVL 32

    Expert Comment


    First, if you have phsical interfaces I would use them especially on the outside. Also, you have a redundant connection to your ISP, do you have a redundant firewall as well? My initial thought was taht you do not have a redundant firewall so why bother with redundant networks, is there only one 6500?

    Is your requirement to have 2-DMZs, 2-DB, 2-PROc, and 1-inside?

    If you are going to configure vlan tagging I would put like networks on like physical interfaces, DB & DB, PROC & PROC, DMZ & DMZ. VLAN tagging logically seperates the traffic, however, VLAN jumping is possible under certain conditions.

    Typically you configure a vlan and assign ports to it, normally unique networks are proivisioned for each vlan, so can be dedicated to vlan 11, and so on. You do this to minimize your brodcast domains and to add control points (the layer 3 interfaces) in your network for security.Now you can add secondaries but that is a more complex discussion that I do not think you are going to utlize.

    harbor235 ;}


    Author Comment

    No I do not have a second Firewall nor a second 6500.

    Is your requirement to have 2-DMZs, 2-DB, 2-PROc, and 1-inside?

    yes 1 is for production and the other is for QA sites.

    LVL 32

    Expert Comment


    ok, so as I stated above, it is a better idea to utilize physical interfaces where you can, however, i do realize that because of economics and/or capacity issues enabling vlan tagging is a viable alternative.

    I would do the following;

    1) id critical networks, i.e outside inside
    2) Assign seperate physical interfaces to critical networks (if you can)
    3) Group like services on like networks, i.e DB, PROC, etc ...
    4) Secure VLANS on the 6500 as much as possible (vlan 1 is evil, do not use it anywhere, but do not  

    harbor235 ;}

    Accepted Solution

    Ok so what I did was create a number of Vlan's on the Catalyst 4502 switch I made a mistake in identifying it as a 6500.

    Vlan 10 through 16. I used the 3rd octet as a reference point for which servers will be in what segments.
    I have 8 segments on my firewall due to network segmentation for my servers and for PCI compliance
    easier for me to identify what is what for future troubleshooting.

    Then I would assign an IP address to a Vlan so for instance
    the interface on the firewall port eth2 is which is labled DMZ.

    The IP address assigned to Vlan11 is (On the swtch) make note of the IP address. I reserved the first 25 IP's for future devices.
    config t
    config# interface vlan 11
    config-if-range#ip address
    config# no shut (Note* you may have to issue a Shut then a no shut)

    So you just create a number of Vlans, in my case I created several. Vlan 10 thru 16
    Config t

    Assign a port to a vlan
    #interface  gigabitethernet 3/1  Which means Card 3 Port #1 notice that the card has gigabit ethernet ports.
    # switchport access vlan 11
    # no shut  (Note you might have to issue a "Shut" and then a "no shut" command)

    a Port desginated to be assigned Vlan11 has a server pluged into that port which is going to be in the DMZ.

    I then repeated the process for the other vlans by assigning them an IP address and assigning ports to thier respective vlans.
    I could have assgined a particular bank or range of ports to a vlan but I wanted to keep it simple just to get what servers I needed up on the network up and running.

    creating the interfaces on the ASA device via the ASDM is a much simpler process. I called into Cisco to help with configuration because I had questions about assigning security levels to each segment.

    LVL 32

    Expert Comment


    All sounds good, is everything working?

    harbor235 ;]

    Author Comment


    Now all I have to do is create access lists to allow communication from one segement to the other on specific ports.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now