We are looking to purchase a ASA 5520s or a ASA 5510. What we need is a few zones and I'm not sure if this is possible or how it would be configured, I need to be 100% sure the configuration works before buying. I am looking at a ZBF config as that is what I am comfortable with. Our ISP provides 3 blocks of IP addresses, one for our main company network /29 and another /29 for whatever we need it for (I was thinking use this for management access?) and a /28 for our servers.
Also, currently we use a transparent mode firewall (Cisco 1801) but we never required an internal network because there was no additional switches, etc.
1st Zone (Management - 192.168.4.0/24) - This will contain all our switches and network devices besides servers. It could also contain DRAC and iLO interfaces. This zone requires VPN access. This is so we can manage the servers and switches off-site from our company network). This could 'and maybe should' be assigned an external IP from our second /29 range and also servce as remote ADSM / SSH management.
2nd Zone (Public DMZ / Transparent Firewall Public /28) - This will contain our main server interfaces, each will be configured with public IP's. We strictly do not want to use NAT at all. Transparent firewall is probably a little more preferable, but if we need to go routed then that is fine. It is also possible that our ISP may provide another block of /28 addresses in the future if we expand past our current IP range.
3rd Zone (Undecided Private Network) - In future we might want to use a private network for server - server communication seperate to the public internet for security reasons (and backups). This should be as easy as creating a VLAN but thought I would mention it in case.
Zone 1 should have just inbound VPN (terminated on the ASA if entirely possible or do we route this through to another hardware endpoint such as a Cisco 1801?), SSH, ADSM access and a static external (public IP) with internal (private IPs)
Zone 2 is just basically no-nat public routed. The servers will have public IP's. However we still need to firewall each server.
Zone 3 is not really important, but mentioned anyway.
I am assuming VLAN's are the best way forward here as we'll be using a seperate Cisco 2960 switch.
Please advise if this is possible with a stock ASA 5510 or ASA 5520?
The ASA firewalls all traffic, so there is no concept of zones like you have in IOS. Looking at your requirement descriptions, I don't see a problem with the ASA being configured to handle any of them. However, the configuration will be very different from IOS so keep that in mind.
For your VPN to zone 1, you can do either ipsec or anyconnect vpn with a split-tunnel-acl to only encrypt traffic to your management subnet. Use an outbound ACL on that interface to restrict traffic further.
For Zone 2 and 3, you do not need to NAT, but the configuration may be different depending on the software you are running on the ASA. Up to version 8.2, just make sure nat-control is disabled and you don't have any nat rules configured for that interface. For 8.3 and later, there is no concept of nat-control so just don't configure any NAT and the ASA will route the traffic like normal.
I hope this helps.
I did hear that the ASA does not support VPN while working in transparent mode, which is by far (from what I've heard) the best way to deploy the device.
In which case, for the management VLAN/VPN, is it best to fire that off to another device? Maybe a ISR 1800?
Transparent mode is the easiest way to deploy the firewall in an existing network. There are no performance benefits from transparent mode and I would discourage anyone from saying one mode is better than the other. They are different, they serve different roles, and have different features.
In your case, the ASA in routed mode can do everything you require, however it will use an IP address for its own interfaces.
Thank you. Routed mode it is I think, it's the only way we can have a management (private VLAN) too by the looks of it.
Finally, the router / management interface and NAT will operate on the /29 block. The /28 block, how do we route this? It has it's own gateway and is not subnetted on our device but on the ISP's.
Imagine say (internal testing IP's for example only)
126.96.36.199/24 Gateway 188.8.131.52
184.108.40.206/24 Gateway 220.127.116.11
Inital testing shows I need to create a static route, is there a preffered way of doing this? I know how to create them, but I've not worked with multiple subnets provided by ISP's before because it's always been done in house rather than upstream.