Maximum number of servers in DMZ on Cisco ASA 5510 with Security Plus

I have several devices i'd like in my DMZ (E-mail Filter, MS ISA Server, Citrix Access Gateway, etc). I'm ordering a Cisco ASA 5510 with Security Plus. Is it possible to setup all these devices in the DMZ? If so, can I do it by having one port on the DMZ connected to a switch then all the servers connected to it? Or, must I have each server connected directly to one of the open ports (if any) on the ASA?
LVL 1
First LastAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

qbakiesCommented:
You can place them all in a DMZ connected to a switch.  The 'DMZ' is associated with the ASA interface.
0
First LastAuthor Commented:
qbakies:

Isn't connecting all the devices to a single switch in the DMZ a little less secure than directly connecting each one to a port on the ASA?

Instead of buying a separate switch what if i'm cheap and I VLAN off a section of my production switch for the DMZ that would be considered a security risk?
0
qbakiesCommented:
'Serurity risk' is a pretty relative term.  There is nothing inherently less secure about putting all your DMZ machines on a separate switch as opposed to using VLANs on a switch you already have.  The DMZ is going to have a different subnet than your LAN as well as a lower security-level than your inside interface so no traffic will be able to travel from your DMZ to your inside unless you allow it with an ACL.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First LastAuthor Commented:
I will include your suggestions in my overall plan. Thank you!
0
qbakiesCommented:
I also suggest you don't put servers in the DMZ that are part of your AD domain (if you have one), because you will have to open a bunch of holes just so the servers work correctly talking to the domain controller.  With a DMZ the fewer holes you need to punch to the inside the more secure you will be.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.