cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2368
Views
5
Helpful
23
Replies

Pre-sale question regarding ASA 5520

gareth_r52
Level 1
Level 1

We are looking to deploy an ASA 5520, but I need to know if it is possible for it to work in this environment.

We have colo space, with two IP ranges. They provide two network drops, one from each switch connected to different routers. One in which has 4 usable IP's for management purposes. This address range will be used only for remote access to the ASA and VPN into the management VLAN. The management VLAN will have all internal devices such as the switches, etc. The second range is for the servers, of which will be assigned directly to the hosts and the ASA will need to act as just a firewall. I can do this on IOS, but not sure about the ASA.

I need to answer the following questions:

  1. Does the ASA support dual network drops, and would this be a failover port configuration in order for it to work?
  2. A management VLAN with outbound internet access only, and VPN/RA capability. NAT will need to be used I'm guessing.
  3. Can we have a DMZ VLAN which has defined ports, say 80, 443 and 25 inbound and outbound. I need the hosts to have the public IP assigned to them with no NAT configuration.

I know there are some advantaged to using NAT, but I really can't use it because the applications behind prefer public IP's being assigned to them.

Any ideas on if this can be done would be good. I just don't want to purchase an ASA without checking the above is fully possible.

23 Replies 23

edited

Jon Marshall
Hall of Fame
Hall of Fame

3 ports on the switch in VLAN 10 say, this VLAN is a public VLAN and will take the two network drops and send it to the 1 WAN port on the ASA (outside).

Yes

Then I would have a 1 LAN port (inside) on the ASA with a internal IP range with NAT enabled, connected to VLAN 20 say... this would be 192.168.20.0/24 for example and contain all switches, KVM over IP and other devices for

management.

Yes, although whether you need NAT depends on how you access them. If you only use RA VPN then you probably don't need to NAT but if you want to access them without RA VPN using one of your spare /29 addresses then yes you would need NAT.

I'd also like a seperate VLAN30 for shared storage, backups, etc. Is that possible to add to this config? I expect it's not a good idea to allow this onto the management VLAN.

Yes it's fine. Do you have an internal L3 switch/router that is respnsible for inter-vlan routing ?  If you do then to the ASA it is just another vlan/subnet you allow access to and you would route to this vlan via the ASA inside interface.

If you wanted to route off the ASA then you could either use subinterfaces on the inside interface one for vlan 20 and one for vlan 30 and then connect to the inside interface to your switch with a 802.1q trunk link. Or you could just use another one of the interfaces on the ASA as you have them spare.

You are right, i would recommend you keep the 2 functions ie. management and backups etc. on different vlans.

And VLAN 40 for DMZ for example, which would be a physical interface connecting to the switch?

Yes it would be. As a general rule of thumb if you have the physical interface to spare then use a physical interface. You only really use 802.1q subinterfaces when you have run out of physical interfaces.

One last point. If you don't actually need to present any of your vlan 20/30 devices on public IPs (remember with RA VPNs you can access them on their private IPs) then you can actually disable NAT altogether on the firewall with the "no nat-control" command. With an internet facing ASA it is unusual to do this though because you do generally want to present some internal private IPs as public IPs for access from the internet.

Jon

That all makes sense. The switch being considered is the 2960-S, so it isn't L3. In which case what do you think would be a logical way forward? To get a L3 switch instead?

Regarding NAT I would need outbound internet access from the management network, so it would need to translate those. Plus there may be a requirement to open something up for a HTTPS web interface or something.

Gareth 

As for a L3 switch or not. It depends. There are 2 situations in which i think it is okay to route the vlans off the ASA -

1) in small environments (number of vlans)  i think it is okay to use suibinterfaces on the ASA or actually in your case you could use a physical interface as it spare. If cost is an issue then by all means use the ASA. With a spare interface bandwidth would not be of much an issue although be aware if you are doing backups between vlans then this could adversely affect the firewall.

Obviously if you subinterfaces then you are splitting the available bandwidth between the vlans. 

2) in environments that have high security requirements and can actually justifty the need to firewall between all or most vlans

Other than that i would always go with a L3 switch for internal inter-vlan routing because that is what they are designed for. ASA firewalls can route between vlans but the ASA is a firewall first and foremost and not a router. The configuration, in my opinion is much easier to maintain on a L3 switch.

Edited - removed bit about no nat-control as you do need NAT.

Jon

Does that not mean in theory that if I do this at the switch level I could risk someone hopping the VLAN onto the management network?

I'm not sure whats the best way to approach this. Obviously I'd much prefer to keep the ASA to firewall duty.

The data will be kept on the backup VLAN only and won't require any access to other VLANs other than from the VPN in which to manage the backup devices. I was basically thinking of having a seperate network feed to the servers which is connected directly to the backup network, so it's not hopping from the public VLAN to the backup VLAN.

Does that not mean in theory that if I do this at the switch level I could risk someone hopping the VLAN onto the management network?

You can use L3 acls on the vlan interfaces on the L3 switch but yes these are not as secure as stateful firewalls. It really is down to exactly what you requirements are in terms of security and only you can really decide that.

Basically with a L3 switch you should think of the firewall as protecting your LAN from the outside. It does not protect your vlans from one another internally. This has 2 main implications -

1) internal users can access other vlans without going through the firewall. This is a normal setup and while it is undoubtedly certain that the majority of attacks come from your internal network whether you need a firewall is really only something you can decide.

2) external people gain access to one server on a vlan then jump to other vlans.

Both scenarios can be mitigated with other tools as well as firewalls such as the ASA ie. host firewalls/L3 acls/IPS/IDS etc. but you have to make a call on how far you want to go with this.

If your backup vlan only needs access from the RA VPN and does not need to route to any other vlan then there is a good argument to use the spare interface on the ASA for this with the only proviso being that of bandwidth. But if all traffic is kept internal to that vlan (which it sounds like it is if it doesn't need access to any other vlans) then that would not really be a concern.

Jon

If I am thinking correctly, it shouldnt be too much of an issue really. Since I have available physical interfaces I can just create the VLANs on the 2960-S and then just use physical interfaces to connect them up to the ASA. I doubt I need much intervlan routing other than for the VPN to access management and backup network IP ranges (both private IP address space).

Gareth

You replied just as i was typing out my last answer.

Basically pretty much yes to what you have just said.

Jon

Sorry about that

Sounds like the way forward is as we have discussed. I think a L3 switch is probably overkill for a small rack of servers at the moment.

Thank you for all your help Jon! I will go ahead and look at purchasing the gear this week.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: