cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
449
Views
0
Helpful
4
Replies

ASA 5512-X routing within a WAN

andrew kwayu
Level 1
Level 1

Hello,

My LAN is currently protected by a firewall with an internal IP of 172.16.16.16. I would like to have a Cisco ASA 5512-X placed inside this firewall to further protect my LAN from the WAN through NATing and Access Lists within an internal network of 172.16.0.0/20. I would also like to place a web server in a DMZ with internal IPs and have the web services and mail available to the outside world as well as insiders! How can I go about doing that in ASA version 9.2(2)?

Thanks!

4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

Why do you not trust your WAN? NAT and ACL'ing your WAN sounds like an administrative nightmare.

Oliver Kaiser
Level 7
Level 7

Hi Andrew,

I am not sure if I got your requirements correctly but let me recap.

You currently have a firewall to protect your internal network from the WAN doing NAT/ACLs. Now you want an additional firewall to do additional NAT/ACLs?

Having a 2nd firewall doing exactly the same as the first firewall (NAT/Stateful Inspection) is kind of redundant. If you want to use ASA to secure your network you may use it instead of your current firewall (in case you even need a new firewall?).

You can implement a DMZ by creating a new network (physical or logical via VLANs) and route your DMZ network directly on the firewall. Access to/from the DMZ can be secured by using ACL and you may use NAT to present your public services to the WAN.

In case you need any additional security features like IPS, URL Filtering, Malware Protection, etc. you may want to take a look at FirePOWER Services.

Let me know if that answers your question

I have an internal LAN within a WAN and there is this firewall. I would like to add this ASA 5512-X firewall between the firewall and my LAN so that I can have additional restrictions on what people can access outside, such as yahoo mail, as well as be able put some servers accessible to the outside world such as web services.

Are you saying I can put my entire LAN in the DMZ and route to the WAN? How would that be implemented, plus how do i make some server services available to the outsiders, aas well as insiders in the LAN?

Thanks 

Do you really need a second firewall? From what I understand you got a Firewall between your internal LAN and the WAN (Internet). 

In case you want to block traffic based on L7 criteria like URL & Application you may want to use ASA with FirePOWER Services.

If you want to create a DMZ for your servers, create a seperate VLAN for the servers that host internet facing services and route that VLAN on the firewall to achieve segmentation from the internal trusted network. This way you can implement Access Control Lists (ACLs) and permit/deny traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: