Creating DMZ on ASA for Virtual Infrastructure (Part 2)

The first post focused on configuring the firewall for our new DMZ's but this post will focus on the physical switch configuration.  The physical switch is what provides end to end connectivity from our ASA firewall to our virtual infrastructure.  In the previous post we saw the overall logical design of our internal, external, and DMZ networks.  Below is a simplified version of the physical topology.

The Inside interface of the ASA plugs into our 3Com 4200G on port gi 1/0/1.  This port on our 3Com switch needs to be changed from Access mode to Trunk mode to tag the packets as they egress towards the ASA.  We will need to create VLAN's 9 and 10 on the switch as well.  This is a layer 3 switch and it is noteworthy that I am not creating an interface for VLAN 10.  I do not want packets to have the opportunity to route without crossing through the ASA for access control and inspection.  Below are the configurations for both a 3Com and a Cisco switch.


[3COM]

<3comS1>system-view
[3comS1] vlan 10
[3comS1-vlan 10] description dmz_internal
[3comS1] vlan 9
[3comS1-vlan 9] description dmz_external
[3comS1] int gi 1/0/1
[3comS1-GigabitEthernet1/0/1] description trunk to asa
[3comS1-GigabitEthernet1/0/1] stp disable
[3comS1-GigabitEthernet1/0/1] port link-type trunk
[3comS1-GigabitEthernet1/0/1] port trunk permit vlan all

[CISCO]

CiscoS1#conf t
CiscoS1(config)#vlan 10
CiscoS1(config-vlan)#description dmz_internal
CiscoS1(config-vlan)#vlan 9
CiscoS1(config-vlan)#description dmz_external
CiscoS1(config)# int gi1/0/1
CiscoS1(config-if)#description trunk to asa
CiscoS1(config-if)#spanning-tree portfast
CiscoS1(config-if)#switchport mode trunk

Next step is to find the interfaces on the switch that connect our VMware servers.  These ports were also in Access mode by default.  We need to change these to Trunk mode to pass/tag multiple VLAN's destined for the VMware servers.

[3COM]

<3comS1>system-view
[3comS1] int gi 1/0/2
[3comS1-GigabitEthernet1/0/2] description trunk to vhost1
[3comS1-GigabitEthernet1/0/2] stp disable
[3comS1-GigabitEthernet1/0/2] port link-type trunk
[3comS1-GigabitEthernet1/0/2] port trunk permit vlan all

[CISCO]

CiscoS1#conf t
CiscoS1(config)# int gi1/0/2
CiscoS1(config-if)#spanning-tree portfast
CiscoS1(config-if)#switchport mode trunk
CiscoS1(config-if)#description trunk to asa

We have now created trunk ports on our switch connecting our ASA and our Virtual Infrastructure.  There is end to end connectivity that will pass all VLAN's created on either the ASA or in the virtual environment.