cisco ASA DMZ with failover in switch c4507R

Dears in expert exchange

I have the topology in the attach file what I required is the below:

-      Can I configure the data VLAN and DMZ for the server in the same switch C4507R . according what is mentioned in the topology .
All the servers should be connected to the core switch C-4507R  with 10 Gb fiber link and the data PCs  and wireless should be also connected to the same switch , I put in my mind the throughput of the switch , what I need is that , is it possible to configure the network as shown in the topology .
please  this case is urgent to me and i am waiting for your respond
Best regards
Have a good day

Eng . Ziad Ismail Al-Showaiter

Network & Electronic Telecom  Engineer
Net Technology - HQ
P.O.Box: 18491, Sana'a - Yemen
Tel: +967  01 446000 , Fax:+967 1 446100
Mobile :+967 735810273 , Email :
Who is Participating?
kellemannConnect With a Mentor Commented:
I just took a closer look at your drawing, and according to the addresses, the ISP will have the address, the same address you intend to use for the SMTP-server. It might just be a typo, but if not adjust the addresses accordingly.

Here is something to get you started.

There needs to be NAT statements on the 2951 router if the network between the router and ASA is running on private addresses. The syntax is something like this, but I don't have a router available right now, so please verify:

ip nat inside source static

The NAT part (full one-to-one translation):

object network obj-
 nat (inside,outside) static

The access part:

access-list outside-in extended permit tcp any object obj- eq smtp
access-list outside-in extended permit icmp any object obj-

In case you have an access-list attached on the DMZ, you'll need something like this as well to get ping going:

access-list dmz-in extended permit icmp object obj- any
ziadalshowaiterAuthor Commented:
Any update regarding below !!!!!!!!!
Hi Ziad.

Yes, you can connect the infrastructure as your diagram shows. According to your topology the ports for the DMZ on the 4507 would be configured for access mode, and not trunks.

Depending on what you wish to achieve regarding redundancy, you could also connect the two 2951 routers to the core (using separate VLANs of course). This would enable you to build an ASA hardware cluster, provided you have the spare ip addresses and correct license on the firewall.

More on that here:
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

ziadalshowaiterAuthor Commented:
Dear kellemann

no problem in ASA fail over , but i need to configure the outside interface of the ASA to be connected to the routers , so i all the traffic coming from outside go for the ASA . and then to the DMZ , for the separate VLAN , you mean the outside interface Of the ASA should be in separated VLAN ?
if you have any modification for the topology i am waiting for your respond  

best regards
Are the two routers in the same ip subnet in the segment facing the ASA firewalls? If so, you only need a single outside firewall zone. If they are in different subnets the firewalls will need an additional outside interface in order to route traffic to the different destinations (internet and VPN).
ziadalshowaiterAuthor Commented:
Dear Mr.kellemann

could plesae help me how i can do the configration of tow outside interface for th ASA in order i can route the trafic to the VPN and the internet .

also i need  your help , how i can configuer ADSL interfcae in cisco router 2951From the CLI ?

best regards .
If you can post a sanitized config I can give you some hints on how to do the config. I also need some "dummy" ip addresses for the VPN and Internet routers in order to show the commands.
Configuration of the ADSL interface is outside the scope of the original question (and outside my expertise), and I would recommend you start a separate question on EE in the correct section.
ziadalshowaiterAuthor Commented:
Dear mr.kellemann

the required configration is as shown in the topology .

if i used public ips in in the DMZ does it required nat between the data vlan and the DMZ ?

i will use private ips between the ASA and the routers does it required  NAT between the ASA and the Router .

suppose i have only  one public ip in the  outside interface of the router can i do NAT only in the router ?

best regards
ziadalshowaiterAuthor Commented:
could help me with the following case

i can not ping the DMZ server from the inside interface . the running configration  is in the attach file
ICMP how-to here:

Regarding the dual outside-interface setup, you should just consider the interface with the VPN as yet another zone on the firewall, nothing special about it. Here is an example

interface GigabitEthernet0
 description Internet ADSL
 nameif outside
 security-level 0
 ip address

interface GigabitEthernet1
 description VPN Tunnel
 nameif vpn
 security-level 25
 ip address

route outside
route vpn x.x.x.x y.y.y.y

You didn't provide the subnet on the other side of the VPN, hence the x.x.x.x subnet and y.y.y.y subnetmask.

No NAT is required if you are using public IPs in the DMZ. You will of course still need access-lists to permit traffic in the first place.

If you only have a single public IP on the router, you will need to do NAT locally on the router if you want to permit incoming traffic from the internet to the inside of the ASA.
ziadalshowaiterAuthor Commented:
dear Mr.kellemann

thank you so much for that it  was perfect and it solve the problem perfectly

- i still need your help in NAT process , i will use Public IPs in the DMZ and one public ip in the outside of the router , but between the  ASA outside interface  and the router i will use private IP who i can make the NAT process between the ASA and the router in a way i make the servers in the DMZ public .
- the topology i will do some how similar to the one in the attach file .

best regards
ziadalshowaiterAuthor Commented:
Please any update
Sorry for the late reply, I've been a bit swamped.
If you plan on using public ip addresses directly on the DMZ, you don't need to do any NAT. You only need to allow the proper access for outside addresses directly to the public addresses in the DMZ.
For example to allow FTP (TCP 21):

access-list outside-in extended permit tcp any host eq ftp

Just make sure you don't have any dynamic NAT rules active when coming from the DMZ, otherwise your public DMZ addresses will get translated to the outside address of the firewall.
ziadalshowaiterAuthor Commented:
Dear mr

the costumer gave up on the idea of using the public ip in the DMS instead of that we will have full subnet /27 at the exit interface of the router , any way he want from me to do the nat in the ASA not in the router the topology is in the attch file, i removed the fail-over till i finish the nat configuration .

- the inside network /24
- the DMZ network /24
- the network between the ASA and the router
-the public ip range is (for example)

the user in the inside should get internet
the dmz servers (SMTP , ... ) should able to access the internet  .
from outside the user in the public network should be able to access the smtp server at the DMZ .

i tried to do the configuration  my self but i still can not ping the server from outside even if i make it allowed by the ACL

please do me favor and show me how i can do the nat in the asa so that servers can access the internet and the users can access the servers from the internet .
and ping should be enabled.
ziadalshowaiterAuthor Commented:
please any update for this !
What is the version of the ASA software? It is significant in order to get the correct NAT statements.
ziadalshowaiterAuthor Commented:
the IOS in ASA 8.6
the ASDM is 7.32
the pubic ip subnet is
the public ip should b static for the smtp server
the public ip should be static for the cetrix server
the reset public IPs will be configuer in dynamic nat for the reset user

best regards
ziadalshowaiterAuthor Commented:
dear Mr.kellemann
when i wrote static ip i mean static nat for the server , but generally the server will have private ip and then static nat for public ip .

best regards
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.