cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1608
Views
5
Helpful
23
Replies
Hall of Fame Guru

Re: Pre-sale question regarding ASA 5520

edited

Hall of Fame Guru

Re: Pre-sale question regarding ASA 5520

3 ports on the switch in VLAN 10 say, this VLAN is a public VLAN and will take the two network drops and send it to the 1 WAN port on the ASA (outside).

Yes

Then I would have a 1 LAN port (inside) on the ASA with a internal IP range with NAT enabled, connected to VLAN 20 say... this would be 192.168.20.0/24 for example and contain all switches, KVM over IP and other devices for

management.

Yes, although whether you need NAT depends on how you access them. If you only use RA VPN then you probably don't need to NAT but if you want to access them without RA VPN using one of your spare /29 addresses then yes you would need NAT.

I'd also like a seperate VLAN30 for shared storage, backups, etc. Is that possible to add to this config? I expect it's not a good idea to allow this onto the management VLAN.

Yes it's fine. Do you have an internal L3 switch/router that is respnsible for inter-vlan routing ?  If you do then to the ASA it is just another vlan/subnet you allow access to and you would route to this vlan via the ASA inside interface.

If you wanted to route off the ASA then you could either use subinterfaces on the inside interface one for vlan 20 and one for vlan 30 and then connect to the inside interface to your switch with a 802.1q trunk link. Or you could just use another one of the interfaces on the ASA as you have them spare.

You are right, i would recommend you keep the 2 functions ie. management and backups etc. on different vlans.

And VLAN 40 for DMZ for example, which would be a physical interface connecting to the switch?

Yes it would be. As a general rule of thumb if you have the physical interface to spare then use a physical interface. You only really use 802.1q subinterfaces when you have run out of physical interfaces.

One last point. If you don't actually need to present any of your vlan 20/30 devices on public IPs (remember with RA VPNs you can access them on their private IPs) then you can actually disable NAT altogether on the firewall with the "no nat-control" command. With an internet facing ASA it is unusual to do this though because you do generally want to present some internal private IPs as public IPs for access from the internet.

Jon

Beginner

Re: Pre-sale question regarding ASA 5520

That all makes sense. The switch being considered is the 2960-S, so it isn't L3. In which case what do you think would be a logical way forward? To get a L3 switch instead?

Regarding NAT I would need outbound internet access from the management network, so it would need to translate those. Plus there may be a requirement to open something up for a HTTPS web interface or something.

Hall of Fame Guru

Re: Pre-sale question regarding ASA 5520

Gareth 

As for a L3 switch or not. It depends. There are 2 situations in which i think it is okay to route the vlans off the ASA -

1) in small environments (number of vlans)  i think it is okay to use suibinterfaces on the ASA or actually in your case you could use a physical interface as it spare. If cost is an issue then by all means use the ASA. With a spare interface bandwidth would not be of much an issue although be aware if you are doing backups between vlans then this could adversely affect the firewall.

Obviously if you subinterfaces then you are splitting the available bandwidth between the vlans. 

2) in environments that have high security requirements and can actually justifty the need to firewall between all or most vlans

Other than that i would always go with a L3 switch for internal inter-vlan routing because that is what they are designed for. ASA firewalls can route between vlans but the ASA is a firewall first and foremost and not a router. The configuration, in my opinion is much easier to maintain on a L3 switch.

Edited - removed bit about no nat-control as you do need NAT.

Jon

Beginner

Re: Pre-sale question regarding ASA 5520

Does that not mean in theory that if I do this at the switch level I could risk someone hopping the VLAN onto the management network?

I'm not sure whats the best way to approach this. Obviously I'd much prefer to keep the ASA to firewall duty.

The data will be kept on the backup VLAN only and won't require any access to other VLANs other than from the VPN in which to manage the backup devices. I was basically thinking of having a seperate network feed to the servers which is connected directly to the backup network, so it's not hopping from the public VLAN to the backup VLAN.

Hall of Fame Guru

Pre-sale question regarding ASA 5520

Does that not mean in theory that if I do this at the switch level I could risk someone hopping the VLAN onto the management network?

You can use L3 acls on the vlan interfaces on the L3 switch but yes these are not as secure as stateful firewalls. It really is down to exactly what you requirements are in terms of security and only you can really decide that.

Basically with a L3 switch you should think of the firewall as protecting your LAN from the outside. It does not protect your vlans from one another internally. This has 2 main implications -

1) internal users can access other vlans without going through the firewall. This is a normal setup and while it is undoubtedly certain that the majority of attacks come from your internal network whether you need a firewall is really only something you can decide.

2) external people gain access to one server on a vlan then jump to other vlans.

Both scenarios can be mitigated with other tools as well as firewalls such as the ASA ie. host firewalls/L3 acls/IPS/IDS etc. but you have to make a call on how far you want to go with this.

If your backup vlan only needs access from the RA VPN and does not need to route to any other vlan then there is a good argument to use the spare interface on the ASA for this with the only proviso being that of bandwidth. But if all traffic is kept internal to that vlan (which it sounds like it is if it doesn't need access to any other vlans) then that would not really be a concern.

Jon

Highlighted
Beginner

Re: Pre-sale question regarding ASA 5520

If I am thinking correctly, it shouldnt be too much of an issue really. Since I have available physical interfaces I can just create the VLANs on the 2960-S and then just use physical interfaces to connect them up to the ASA. I doubt I need much intervlan routing other than for the VPN to access management and backup network IP ranges (both private IP address space).

Hall of Fame Guru

Re: Pre-sale question regarding ASA 5520

Gareth

You replied just as i was typing out my last answer.

Basically pretty much yes to what you have just said.

Jon

Beginner

Re: Pre-sale question regarding ASA 5520

Sorry about that

Sounds like the way forward is as we have discussed. I think a L3 switch is probably overkill for a small rack of servers at the moment.

Thank you for all your help Jon! I will go ahead and look at purchasing the gear this week.