• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 837
  • Last Modified:

Cisco ASA-5510 and 6500 series switch configuration help


I have a doozy of a question on the configuration of a ASA5510 and a 6500 series switch.

ISP has provided me 2 lines into my cabinet. The other one is for high availablity if thier primary network goes down.

The ASA-5510 has a 4 port expansion card giving me 8 interfaces

A Cisco admin reccomened that I set up the interfaces as VLANS on the Firewall

Ethernet0/0  Outside     Public Facing IP address     This is not Vlan'd
Ethernet0/1.10 Inside-VLAN  99    VLAN10
Ethernet0/2.11 DMZ              55   VLAN11
Ethernet0/3.12  DB                60   VLAN12
GigabitEthernet0/0.13 PROC  65   VLAN13
GigabitEthernet0/1.14 DMZ2  70   VLAN14
GigabitEthernet0/2.15 DB       75   VLAN15
GigabitEthernet0/3.16 PROC   80   VLAN16

Servers assigned a DMZ IP address will have access to the internet

The 6500 series switch has 3 x 48 port cards installed

3 ports have been configured as a Spanning port with the outside interface of the ASA5510 and the 2 ISP cables connected into it.

The other cables are connectd into the 6500 switch.

I am wondering is this the correct setup? When I assign my servers a particualr IP address do I need to configure a port on the 6500 switch for a particular VLAN? I know this is not a plug and play situation. ;)

right now I am using my ISP's DNS server for name resolution.
This may be a looonnng thread! Thanks in advance.
  • 3
  • 3
1 Solution

First, if you have phsical interfaces I would use them especially on the outside. Also, you have a redundant connection to your ISP, do you have a redundant firewall as well? My initial thought was taht you do not have a redundant firewall so why bother with redundant networks, is there only one 6500?

Is your requirement to have 2-DMZs, 2-DB, 2-PROc, and 1-inside?

If you are going to configure vlan tagging I would put like networks on like physical interfaces, DB & DB, PROC & PROC, DMZ & DMZ. VLAN tagging logically seperates the traffic, however, VLAN jumping is possible under certain conditions.

Typically you configure a vlan and assign ports to it, normally unique networks are proivisioned for each vlan, so can be dedicated to vlan 11, and so on. You do this to minimize your brodcast domains and to add control points (the layer 3 interfaces) in your network for security.Now you can add secondaries but that is a more complex discussion that I do not think you are going to utlize.

harbor235 ;}

NetNinjaAuthor Commented:
No I do not have a second Firewall nor a second 6500.

Is your requirement to have 2-DMZs, 2-DB, 2-PROc, and 1-inside?

yes 1 is for production and the other is for QA sites.


ok, so as I stated above, it is a better idea to utilize physical interfaces where you can, however, i do realize that because of economics and/or capacity issues enabling vlan tagging is a viable alternative.

I would do the following;

1) id critical networks, i.e outside inside
2) Assign seperate physical interfaces to critical networks (if you can)
3) Group like services on like networks, i.e DB, PROC, etc ...
4) Secure VLANS on the 6500 as much as possible (vlan 1 is evil, do not use it anywhere, but do not  

harbor235 ;}
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

NetNinjaAuthor Commented:
Ok so what I did was create a number of Vlan's on the Catalyst 4502 switch I made a mistake in identifying it as a 6500.

Vlan 10 through 16. I used the 3rd octet as a reference point for which servers will be in what segments.
I have 8 segments on my firewall due to network segmentation for my servers and for PCI compliance
easier for me to identify what is what for future troubleshooting.

Then I would assign an IP address to a Vlan so for instance
the interface on the firewall port eth2 is which is labled DMZ.

The IP address assigned to Vlan11 is (On the swtch) make note of the IP address. I reserved the first 25 IP's for future devices.
config t
config# interface vlan 11
config-if-range#ip address
config# no shut (Note* you may have to issue a Shut then a no shut)

So you just create a number of Vlans, in my case I created several. Vlan 10 thru 16
Config t

Assign a port to a vlan
#interface  gigabitethernet 3/1  Which means Card 3 Port #1 notice that the card has gigabit ethernet ports.
# switchport access vlan 11
# no shut  (Note you might have to issue a "Shut" and then a "no shut" command)

a Port desginated to be assigned Vlan11 has a server pluged into that port which is going to be in the DMZ.

I then repeated the process for the other vlans by assigning them an IP address and assigning ports to thier respective vlans.
I could have assgined a particular bank or range of ports to a vlan but I wanted to keep it simple just to get what servers I needed up on the network up and running.

creating the interfaces on the ASA device via the ASDM is a much simpler process. I called into Cisco to help with configuration because I had questions about assigning security levels to each segment.


All sounds good, is everything working?

harbor235 ;]
NetNinjaAuthor Commented:

Now all I have to do is create access lists to allow communication from one segement to the other on specific ports.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now