<div>
DHCP - no unless you are using/needing those services<br />
DNS - I would configure for inside/DMZ using internal DNS servers
</div>


<div>
dns - I would configure for inside/dmz using internal dns servers<br />
<br />
question 1. &nbsp;when I 1st configured my asa out of the box clean I disabled the dmz part currently as I did not think I required this until I decided to maybe setup a vpn &nbsp;?
</div>


<div>
DMZ is intended for public facing devices (ex. web server) you want to separate from your internal network. This &quot;zone&quot; allows for public access while protecting your inside network without having to allow that traffic to pass internally. VPN is secure access to the inside network and that is not the intended use of a DMZ.
</div>


<div>
well currently I am only using the built-in asa dhcp and my static ip provided via my isp using my isp's dns to get internet access...so this is not needed in this case..!
</div>


<div>
question 1. &nbsp;later I do wish to connect my internal windows 2008/dns/dhcp server installed all on 1 server, so would I have to build another 2nd server for dns to fit inside the dmz on another subnet &nbsp;as ive not done it this way before ?
</div>


<div>
note: &nbsp;currently my asa built-in dhcp is on the same class c classful subnet that my windows 2008 server is on but currently the windows 2008 server is not physically connected and currently switched off until I have my asa configured correct.
</div>


<div>
hi Spartan, am I right to think that way as per last 2 comments &nbsp;?
</div>


<div>
Your internal server will not impact anything with the firewall. I would recommend you move DHCP server to your 2008 server and off of the ASA. You don't need a DNS server on the DMZ, this is unnecessary. Your internal server will and can manage DNS just fine. <br />
<br />
This is an example of a three zone firewall:<br />
<br />
Internal: Inside interface E0/1: 192.168.1.1 on a 192.168.1.x/24 <br />
<br />
External: Outside interface E0/0: x.x.x.x/252 ISP public address<br />
<br />
DMZ: DMZ interface E0/2 10.11.1.1 on a 10.11.1.x/24 subnet<br />
<br />
This allows &quot;true&quot; separation of networks at the firewall level so you can put a less secure device (Web server) in the DMZ and still protect it without having to put it in your internal network and expose yourself to a security hole. <br />
<br />
I hope this explains what you are looking for.
</div>


<div>
ok understood..!! but if I use another subnet for the dmz ie 10.11.1.1 on a 10.11.1.x/24 is it a physical machine I add or what &nbsp;?
</div>


<div>
Like Spartan said, move DHCP of the ASA to your server (when you're ready for it). You will have a lot more functionality when you do.<br />
<br />
With regards to the DMZ: what are you planning on running there?
</div>


<div>
hi ernie..thats not my understanding.<br />
<br />
i didnt ask about use of dmz 'spartan' did. so that is why i asked questions further.<br />
<br />
currently my win 2008 ad/dns/dhcp is on 1 server but not switched on &amp;&nbsp;using only 1 class c classful subnet.<br />
<br />
so if i put dhcp in dmz i assume i would need another physical server on separate subnet ..?
</div>


<div>
Ah, ok.<br />
<br />
Well, depends on what you will be putting in the DMZ. Normally you use the DMZ to make machines/servers accessible from the internet (webservers and stuff). Because most of the time there are only servers in there (which should have a static IP), there would be no need for DHCP.
</div>


<div>
question 1. &nbsp;currently I have nothing in the dmz and the only other feature I wish to configure eventually is for vpn access but I assume for this a 'dmz' is not required &nbsp;?<br />
<br />
question 2. &nbsp;im not sure if a user was using their pc/laptop via a vpn to access their email if I would therefore put an exchange server in the 'dmz' &nbsp;?<br />
<br />
question 3. &nbsp;I assume if a user did not have a vpn but used a web browser to access files on the company server or email, then it would make sense to have a 'dmz' with a specific file server or email server in place &nbsp;?
</div>


<div>
1. No, DMZ is not required nor recommended for VPN use. VPN allows for secure access to your internal network. A DMZ is a less secure area outside of your internal network. <br />
<br />
2. You would NOT put an Exchange server in a DMZ, only a gateway device (Load balancer, SPAM filter, TMG/Forefront server for Exhange).<br />
<br />
3. Exchange has &nbsp;a web version that can be access by people you allow and does not require a DMZ. File shares are not something you expose to a DMZ, that should only be allowed to be accessed inside of your network.
</div>


<div>
question 1. so i assume then a dmz is for multiple external networks connected for eg in a star topology but need access to dhcp &amp;&nbsp;dns for eg ?
</div>


<div>
im aware most networks wil have a local dhcp/dns server anyhow for fault tolerance redundancy reasons ?<br />
<br />
i suppose a dmz is only used probably in instances these days via an isp company ?
</div>


<div>
Well, it looks like Spartan has covered this nicely :)
</div>


<div>
<div class="content wysiwyg-content">
hi I am currently configured for a single ip class c subnet address via 1 x asa 5505 via asdm ver 7.1 gui<br />
<br />
my pc's are connected via a 3 triage cisco switch topology like a router on a stick and all have internet access<br />
<br />
question 1. &nbsp;I wanted to know is there anything that I should configure in the dns &amp;&nbsp;dhcp via my asdm screenshot attached with what I currently have setup so far &nbsp;?<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/03_w13/1088355/asa-dns-dhcp-screenshot-asdm.pdf" target="_blank" class="file-inline" title="asa asdm dns dhcp screenshot (293 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>asa-dns-dhcp-screenshot-asdm.pdf</a>
</div>
</div>


asa-dns-dhcp-screenshot-asdm.pdf

hi I am currently configured for a single ip class c subnet address via 1 x asa 5505 via asdm ver 7.1 gui

my pc's are connected via a 3 triage cisco switch topology like a router on a stick and all have internet access

question 1.  I wanted to know is there anything that I should configure in the dns & dhcp via my asdm screenshot attached with what I currently have setup so far  ?

asa 5505 asdm gui dns dhcp query

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Hardware Firewalls

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Routers

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).