https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435127#M268064 <P>Depending on the size of the network, I've seen most companies use a different VLAN for their users and for their servers, but they both live on the "inside" interface of the firewall. &nbsp;Front-end web-facing servers typically live in the DMZ. &nbsp;Unless there is an explicit reason to route your user traffic destined for your servers through a firewall (sometimes, PCI or other regulations are the case) then &nbsp;you should not need any more interfaces than the 3 you mentioned.</P><P>So:<BR />Inside security level = 100<BR />DMZ security level = 50<BR />Outside security level = 0</P><P>&nbsp;</P><P>Setup NAT and access-lists accordingly.</P> Tue, 25 Mar 2014 16:46:47 GMT jj27 2014-03-25T16:46:47Z https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435126#M268054 <P>Hi,</P><P>on an ASA (8.4) should the Servers such as Active Directory be behind the same interface as the Office Network pc's and than seperated on different VLAN's ? (Or split-up and behind different ASA interfaces?)</P><P>In a basic setup I believe that only 3 interfaces are enough (inside, DMZ, outside). This would mean that the Servers (excluding front end servers which would be in DMZ) will be behind the inside interface along end users computers.&nbsp;</P><P>Let me know any suggesstions/best practices even by linking documentation so that I configure these 3 interfaces correctly in terms of security levels and access.</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 03:59:34 GMT https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435126#M268054 aconticisco 2019-03-12T03:59:34Z https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435127#M268064 <P>Depending on the size of the network, I've seen most companies use a different VLAN for their users and for their servers, but they both live on the "inside" interface of the firewall. &nbsp;Front-end web-facing servers typically live in the DMZ. &nbsp;Unless there is an explicit reason to route your user traffic destined for your servers through a firewall (sometimes, PCI or other regulations are the case) then &nbsp;you should not need any more interfaces than the 3 you mentioned.</P><P>So:<BR />Inside security level = 100<BR />DMZ security level = 50<BR />Outside security level = 0</P><P>&nbsp;</P><P>Setup NAT and access-lists accordingly.</P> Tue, 25 Mar 2014 16:46:47 GMT https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435127#M268064 jj27 2014-03-25T16:46:47Z https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435128#M268073 <P>Great yes in fact I want to simulate a network as much as possible to a real corporate one. In fact I forgot to mention the management side where management servers are used to manage the network - are these also to go behind the inside interface and again on a seperate VLAN ?</P><P>&nbsp;</P><P>Thanks</P> Wed, 26 Mar 2014 19:56:36 GMT https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435128#M268073 aconticisco 2014-03-26T19:56:36Z https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435129#M268078 <P>Yes, usually people have a separate management network (VLAN) for their switches, server KVM management interfaces, etc. &nbsp;Again, it all depends on how big the network is. &nbsp;If it's a 10-PC and 1-2 server network with one switch, it may be a little overkill to segment it that much.</P> Wed, 26 Mar 2014 20:12:51 GMT https://community.cisco.com/t5/network-security/asa-interfaces-best-practice/m-p/2435129#M268078 jj27 2014-03-26T20:12:51Z