cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
825
Views
1
Helpful
6
Replies

Firewall and Wireless router configuration

Serpent2010
Level 1
Level 1

Hi there,

I have

INTERNET <=========> ASA5525 <========> Linksys Wireless Router -------- ----- ---- Clients  

What is the best method for ASA5525 to be configured with this Linksys router to protect those clients

1> Shall put Linksys as Bridge, and the ASA5525 as DHCP router; or

2> Make the Linksys as the DHP and provide ASA5525 a static IP

Any advice for configuring this topology with best security practice please   

1 Accepted Solution

Accepted Solutions

This is an interesting response but the responder does not seem to have paid much attention to the original post. The response discusses the risks of wireless access and possible access to production environments. But the original post was pretty clear that the wireless environment (and any wired connections from the Linksys) was the "production" environment.

To the original poster - if we knew more about your environment we would be able to provide better advice. For example we do not know about your connection from ASA to Internet and whether the ISP is providing only a single public IP to use on the ASA or perhaps a public IP for the ASA and additional IPs to use for address translation.

My first reaction was to suggest that you off load the DHCP from the ASA and let the Linksys do the DHCP. But that probably implies that the Linksys would also do address translation. That would work ok if there were a public address that Linksys could use. But if the only public IP is on ASA then you may wind up with Linksys doing address translation and then ASA translating again to use the public IP. So perhaps the safe suggestion would be for the Linksys to be set up as bridge and the address translation be done on ASA.

From a security perspective I am not sure that there is much difference between having the ASA doing DHCP and address translation or having the Linksys doing DHCP and address translation.

HTH

Rick  

HTH

Rick

View solution in original post

6 Replies 6

seanvaid
Level 3
Level 3

Best security practice would be to completely separate lan and wlan. 

In most secure environments, WiFi is a convenience for user devices (cellphones, tablets, etc) or guests and communication to production environment is an unnecessary risk. 

For example, in my environment, we have a comcast modem that has multiple hand-offs. One is used specifically for WiFi and the other for internal LAN. 

This is an interesting response but the responder does not seem to have paid much attention to the original post. The response discusses the risks of wireless access and possible access to production environments. But the original post was pretty clear that the wireless environment (and any wired connections from the Linksys) was the "production" environment.

To the original poster - if we knew more about your environment we would be able to provide better advice. For example we do not know about your connection from ASA to Internet and whether the ISP is providing only a single public IP to use on the ASA or perhaps a public IP for the ASA and additional IPs to use for address translation.

My first reaction was to suggest that you off load the DHCP from the ASA and let the Linksys do the DHCP. But that probably implies that the Linksys would also do address translation. That would work ok if there were a public address that Linksys could use. But if the only public IP is on ASA then you may wind up with Linksys doing address translation and then ASA translating again to use the public IP. So perhaps the safe suggestion would be for the Linksys to be set up as bridge and the address translation be done on ASA.

From a security perspective I am not sure that there is much difference between having the ASA doing DHCP and address translation or having the Linksys doing DHCP and address translation.

HTH

Rick  

HTH

Rick

Thank you for the reply.

Both wired and wireless are separated in two different vlans and security level. 

The ISP provides one single public IP to the ASA5525 and there is no public IP to the Linksys.

So, I will go with the Linksys as Bridge.

I agree that moving the load (DHCP) from the ASA to Linksys router is recommended, however, the key problem with this approach is that ASA loses the visibility and the control.

In other words, ASA would not be able to control the traffic (ACL) for single or group of host(s) as they will be hidden beyond the Linksys router.

I appreciate any further suggestion

 

Thanks for the additional information. If the ISP provides only a single public IP then I agree with you that Linksys as bridge is the appropriate approach.

HTH

Rick

HTH

Rick

One last thing please,

Do you recommend to use Linksys as DHCP with disabling NAT?

Saying this, the Linksys segment will feasible to the ASA for further ACL.

Your advice is appreciated

I am not sure that I fully understand your question. I am not clear whether the Linksys operating in bridge mode can do DHCP and not NAT but if it can then I would be in favor of doing this.

I am not understanding what you are asking about feasible but I believe that you may be asking about ASA filtering packets received from the Linksys. The ASA should be fully capable of using access lists to evaluate traffic received from the Linksys and to control that traffic.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: