Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
3
Replies

ASA Interfaces best practice

Go to solution
aconticisco
Level 2
Level 2

‎03-25-2014 12:01 AM - edited ‎03-11-2019 08:59 PM

Hi,

on an ASA (8.4) should the Servers such as Active Directory be behind the same interface as the Office Network pc's and than seperated on different VLAN's ? (Or split-up and behind different ASA interfaces?)

In a basic setup I believe that only 3 interfaces are enough (inside, DMZ, outside). This would mean that the Servers (excluding front end servers which would be in DMZ) will be behind the inside interface along end users computers. 

Let me know any suggesstions/best practices even by linking documentation so that I configure these 3 interfaces correctly in terms of security levels and access.

 

thanks

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎03-25-2014 09:46 AM

Depending on the size of the network, I've seen most companies use a different VLAN for their users and for their servers, but they both live on the "inside" interface of the firewall.  Front-end web-facing servers typically live in the DMZ.  Unless there is an explicit reason to route your user traffic destined for your servers through a firewall (sometimes, PCI or other regulations are the case) then  you should not need any more interfaces than the 3 you mentioned.

So:
Inside security level = 100
DMZ security level = 50
Outside security level = 0

 

Setup NAT and access-lists accordingly.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jj27
Spotlight
Spotlight

‎03-25-2014 09:46 AM

Depending on the size of the network, I've seen most companies use a different VLAN for their users and for their servers, but they both live on the "inside" interface of the firewall.  Front-end web-facing servers typically live in the DMZ.  Unless there is an explicit reason to route your user traffic destined for your servers through a firewall (sometimes, PCI or other regulations are the case) then  you should not need any more interfaces than the 3 you mentioned.

So:
Inside security level = 100
DMZ security level = 50
Outside security level = 0

 

Setup NAT and access-lists accordingly.

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to jj27

‎03-26-2014 12:56 PM

Great yes in fact I want to simulate a network as much as possible to a real corporate one. In fact I forgot to mention the management side where management servers are used to manage the network - are these also to go behind the inside interface and again on a seperate VLAN ?

 

Thanks

0 Helpful

Go to solution
jj27
Spotlight
Spotlight
In response to aconticisco

‎03-26-2014 01:12 PM

Yes, usually people have a separate management network (VLAN) for their switches, server KVM management interfaces, etc.  Again, it all depends on how big the network is.  If it's a 10-PC and 1-2 server network with one switch, it may be a little overkill to segment it that much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card