Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
918
Views
0
Helpful
2
Replies

ASA inside connectivity best practice

Go to solution
firestartest
Level 1
Level 1

‎10-12-2011 04:55 PM - edited ‎03-11-2019 02:37 PM

I have been reading various best practice guides for the ASA.  Some people seem to design the network with the inside interface of the ASA connecting to a /28 subnet on a layer 3 vlan connected to a core switch.  All other networks hang of the core switch and have to route to the core.

The guides seem to point out that sticking the ASA on a seperate VLAN from the other networks reduces processing by the ASA of unnecessary traffic.

Can someone tell me if this is the best thing to do?  Or just stick the inside on the main user vlan.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-13-2011 02:10 PM

If you have one ASA then you don't even need a vlan, you can use a routed P2P link but if you have a pair of firewalls or plan to have then yes i would use a dedicated vlan for the ASA to switch connectivity.

There is the benefit of the ASA not having to process all the broadcast traffic in the user vlan that you connect it into but it can also have security benefits as well.

For example lets say you used a proxy server in your network and all clients use this proxy server. So you implement acls on the L3 SVI to only allow traffic to that proxy server for unknown destinations (ie internet traffic). If you have the ASA in it's own vlan then this will work fine ie. the users have to use the proxy to get internet access.

But if you had the ASA in a user vlan then a user could simply set their default-gateway to the ASA, bypassing the proxy server all together.

Whether or not they would get out depends on the NAT and acl settings but a lot of firewalls are deployed without an acl on the inside interface and with quite open NAT settings.

It's basically just another check that is fairly trivial to implement.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎10-13-2011 09:23 AM

This question is better suited for the Security Community, than the Wireless Community.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-13-2011 02:10 PM

If you have one ASA then you don't even need a vlan, you can use a routed P2P link but if you have a pair of firewalls or plan to have then yes i would use a dedicated vlan for the ASA to switch connectivity.

There is the benefit of the ASA not having to process all the broadcast traffic in the user vlan that you connect it into but it can also have security benefits as well.

For example lets say you used a proxy server in your network and all clients use this proxy server. So you implement acls on the L3 SVI to only allow traffic to that proxy server for unknown destinations (ie internet traffic). If you have the ASA in it's own vlan then this will work fine ie. the users have to use the proxy to get internet access.

But if you had the ASA in a user vlan then a user could simply set their default-gateway to the ASA, bypassing the proxy server all together.

Whether or not they would get out depends on the NAT and acl settings but a lot of firewalls are deployed without an acl on the inside interface and with quite open NAT settings.

It's basically just another check that is fairly trivial to implement.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card