Just a few questions. We are looking to deploying Cisco ASA 5545 into a network. I have a couple of issues with designing the network correctly.
We need to be able to scale out to more hosts than a single VLAN, we would also be considering adding 4948E switch behind the ASA and potentially a stack in front.
The problems are:
1) If we have an outside stack of public 4948E (so we can connect some hosts outside the firewall, such as additional ASA's running in NAT mode) for VPN. Is this a reliable, recommended configuration? The reason being we need to have the ability to add other seperate ASA protected networks that we don't want going through the 5545 as it's going to quickly run it out of capacity. If I have the L3 switch stack in front I'm guessing we would have a small subnet to link upstream and then sub-subnetwork into two blocks, one on the inside interface and one on the L3 switch for the other hosts? Or would it be better to let the upstream provider do this, and then just get them to provide us with two smaller subnets rather than one big one? As below if we do L3 stack ourselves we would need to small subnets, one to communicate with upstream and one to link ASA subnets. This seems like a waste of IP's. I was wondering if I could use Internal IP space on the L3 > ASA link, but I thought that could be an issue for BOGONS list.
2) If I want to extend the inside network (Cisco ASA would not run NAT, just public IP's on the inside, routed to the outside interface of the ASA) there are two ways. Use the ASA to create subinterfaces/VLANs (but that would be routed via the ASA - may be a performance hit?) or use a L3 switch behind the ASA. How does one accomplish running L3 switch behind ASA properly?
Look forward to your feedback. Also, if any one is interested in discussing this outside the forum for a fee I would be happy to do this.
1. What is your reason for running layer 3 between your ISP and the ASA? I would keep them layer 2. You can put multiple ASA's on the same public IP space.
2. Do you have a large enough addresss space to run public IP's on all your network devices? Personally I would do everything I can to stay away from that. If firewall performance is important to you, then putting a layer 3 switch behind the ASA makes sense. Routing is simple, the layer 3 switch would have all your SVI's (default gateways for your LAN hosts). Traffic between the VLAN's would route on the switch itself, called intervlan routing, and the default gateway for all traffic would be the inside interface of the ASA.
I hope this makes sense and feel free to ask any questions for clarification.
Yes we do require all devices to have public IP. It is a network of servers only, anything that is not front end is obviously on a different network.
I hear you re L3 switching in front. Would that not be a problem with an upstream /29 routing block? I.E. They would not like to make any changes other than route the larger blocks to an IP on our side.
Routing a larger (or additional) address space would be handled by the ISP. You would have to change your subnet mask, but that should be it.
Would ISP not have to know the outside IP of the ASA that the additional block is behind though? This means we have to go back to them to change stuff and they are not exactly wanting to do that. We also don't want to tier ASA behind one another.
I thought L3 switches because then we can sub-subnetwork out networks as we see fit.
Yes they would have to know so they can route to it. Will the address space be from a different carrier or the same one? If it's the same one, they already know it. I agree on the layer 3 switch.