Currently we have the DMZ ACL in the ASA firewall. One interface that was assigned as DMZ was connected to the core switch and within a VLAN. The server that was untagged to this DMZ VLAN will have the DMZ ACL applied to the inbound/outbound traffic. This was quite simple setup. This issue now I am facing is: we are going to move the ASA firewall to the Colo rack but the servers will stay in the central office. I am afraid this will not work.
Currently.... ASA 172.16.1.1 DMZ - 10.254.254.0/24 | Core switch 172.16.1.2 VLAN for DMZ server (10.254.254.0/24)
The ip route is to route 10.254.254.0/24 over to ASA. So ASA DMZ interface receives the traffic, applies the ACL and the traffic will then get to the DMZ VLAN to reach to the server.
Here is part of the new MPLS network..... (Colo) ASA 172.16.100.1 DMZ - 10.254.254.0/24 | router1 || MPLS || router2 | Core switch 172.16.1.2 VLAN for DMZ server (10.254.254.0/24)
As you can see the ASA and Core switch is not in the same subnet any more. How can I make the DMZ working? I don't know how to make the ip route. Perhaps it just won't work this way. Perhaps I will have to just create the ACL within the core switch.