https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095072#M393060 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>Currently we have 35 vlans but this may increase and keeping future expansion in consideration, we want to move the default gateways to the Core Switches. This is the current design we are planning.</P><P></P><P></P><P>Internet------&gt;EdgeRouters-------&gt;ExtFirewall(NAT,VPN)-------&gt;DMZ-Switches(Two stacked switches for redundancy, DMZ servers connect here)--------&gt;InternalFirewall( Intervlan Restriction)--------&gt;CoreSwitch--------&gt;Aggregators--------&gt;Topof the rack switch.</P><P></P><P>Any suggestions on the above design or best practice considerations will be helpful.</P></BODY></HTML> Fri, 11 Jan 2013 22:19:18 GMT Nick wfd 2013-01-11T22:19:18Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095068#M393056 <P>Hi,</P><P></P><P>Currently i am in the process of designing a data center, in our current setup we have the default gateways of all vlans configured on a ASA 5520.</P><P>In the new design we are planning to bring down the default gateways from the ASA to the core switches (4500x). But there is a requirement of firewalling intervlan traffic. we also have two firewalls.</P><P></P><P>how can we design to use one firewall to restrict traffic between vlans and also configure the dmz on it, and another external firewall to handle NAT, site to site and remote access VPN. Is connecting two firewalls back to back&nbsp; a good design, Please suggest.</P><P></P><P>Thanks</P> Tue, 12 Mar 2019 00:45:43 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095068#M393056 Nick wfd 2019-03-12T00:45:43Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095069#M393057 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Whats behind the decision to move the GWs from the ASAs to the Core switches?</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Jan 2013 17:46:21 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095069#M393057 Jouni Forss 2013-01-11T17:46:21Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095070#M393058 <HTML><HEAD></HEAD><BODY><P> The number of vlans have increased and also considering performance, we are planning to move the GWs from the ASAs to the core switches.</P></BODY></HTML> Fri, 11 Jan 2013 18:23:52 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095070#M393058 Nick wfd 2013-01-11T18:23:52Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095071#M393059 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do you have any specific numbers related to the numbers of current/future Vlan IDs and the performance/throughput required by the setup?</P><P></P><P>Have you been expiriencing problems already with the current setup which lead to this?</P><P></P><P>I know you are planning on using the current firewalls but I just want to get some idea of your current setup.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Jan 2013 19:32:54 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095071#M393059 Jouni Forss 2013-01-11T19:32:54Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095072#M393060 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>Currently we have 35 vlans but this may increase and keeping future expansion in consideration, we want to move the default gateways to the Core Switches. This is the current design we are planning.</P><P></P><P></P><P>Internet------&gt;EdgeRouters-------&gt;ExtFirewall(NAT,VPN)-------&gt;DMZ-Switches(Two stacked switches for redundancy, DMZ servers connect here)--------&gt;InternalFirewall( Intervlan Restriction)--------&gt;CoreSwitch--------&gt;Aggregators--------&gt;Topof the rack switch.</P><P></P><P>Any suggestions on the above design or best practice considerations will be helpful.</P></BODY></HTML> Fri, 11 Jan 2013 22:19:18 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095072#M393060 Nick wfd 2013-01-11T22:19:18Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095073#M393061 <HTML><HEAD></HEAD><BODY><P>Nick,</P><P></P><P>Are you looking for another vendor for this solution? I have seen Juniper firewall (SRX5800) have good limit to configure vlans on it.</P><P></P><P>since this is Cisco forum, lets stick to some basic rules <SPAN __jive_emoticon_name="laugh" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Sun, 13 Jan 2013 06:45:52 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095073#M393061 Jigar Dave 2013-01-13T06:45:52Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095074#M393062 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>From what I can understand I dont think there are many options to go for if you want to keep a firewall controlling the traffic through all of the Vlans. Naturally having the gateways being at the firewall would be the ideal situation when it comes to controlling the traffic. Only using the firewall to route traffic out from those Vlans would naturally mean you couldnt control any traffic between them unless you start configuring extended ACLs on the core device itself. But this would naturally become troublesome to configure, troubleshoot and manage.</P><P></P><P>I would probably look into the possibility of getting a brand new firewall that can handle being the gateway for Vlans and if you currently have 2x ASA5520 you could maybe look into (as you have) using them for both ACL/NAT and VPN purposes. Each firewall would then have a pretty simple role in the network and therefore they would be easier to manage.</P><P></P><P>Heres some good brief documents on the Cisco firewall models</P><P></P><P>They provide information on the throughput performance, Vlan support, etc</P><P></P><P></P><P>ASA 5500 Series</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf</A></P><P></P><P>ASA 5500-X Series</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf</A></P><P></P><P>- Jouni</P></BODY></HTML> Sun, 13 Jan 2013 12:51:19 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095074#M393062 Jouni Forss 2013-01-13T12:51:19Z https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095075#M393063 <HTML><HEAD></HEAD><BODY><P>Agree with Jouni. There is no need to move the GWs from the ASAs to the Swtich.&nbsp; </P><P></P><P>Check this datasheet link: </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html</A></P><P></P><P>Pls. look for "Virtual Interfaces (VLANs)" for each of the models. Our ASA5510 alone can support can support 100 vlans with security plus license.</P><P></P><P>Pls. join me on my upcoming webcast on Tue Jan 15th and ask away your questions.</P><P></P><P>-Kureli</P><P></P><P><A class="jive-link-external-small" href="https://community.cisco.com/community/netpro/expert-corner">https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts</A></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; margin: 10px 0px; font-family: Arial, Helvetica, sans-serif; line-height: 16px;"><STRONG style="border-collapse: collapse; list-style: none;"><SPAN style="font-size: 14pt;">Upcoming Live Webcast in</SPAN> English<SPAN style="font-size: 14pt;">:</SPAN> January 15, 2013</STRONG><BR /><STRONG style="border-collapse: collapse; font-size: 14pt; list-style: none; ">Troubleshooting ASA and Firewall Service Modules</STRONG></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; margin: 10px 0px; font-family: Arial, Helvetica, sans-serif; line-height: 16px;"><A href="http://tools.cisco.com/gems/cust/customerQA.do?METHOD=E&amp;LANGUAGE_ID=E&amp;SEMINAR_CODE=S17664&amp;PRIORITY_CODE=cisco%20" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">Register today for this Cisco Support Community live webcast.</A> </P></BODY></HTML> Sun, 13 Jan 2013 14:11:44 GMT https://community.cisco.com/t5/network-security/firewall-design-question/m-p/2095075#M393063 Kureli Sankar 2013-01-13T14:11:44Z