Solved: You had indicated that vlan 3

pr3d4t0r_gr · ‎11-17-2016

I have 2 ASA 5512-X with FP services and i would like to add a dmz network for another company.

My question here is:

Both ASA's will connect to the layer 3 switch.

Layer 3 switch will have 3 vlans, vlan2 for users, vlan3 for servers and vlan4 for management. Layer3 switch will be connected with several layer2 switches via trunk links.

For the link between layer3 switch and ASA's should i create a seperate vlan and add the ports as access ports?

If yes, if i add WCCP for WSA should the WSA be on the same vlan as ASA's inside ip address ?

If yes, the default route for the switch should be the inside interface of ASA ?

If yes, i should add static routes to the ASA so that users from another zone would be able to access the new network ?

Thanks in advance.

Richard Burts · ‎11-17-2016

You tell us about two ASA5512 with FP services but you do not tell us whether these will be configured and operate as a failover pair or as two independent ASA. Can you clarify?

You mention the ASAs and layer 3 switches. But you do not indicate whether you intend to do the inter vlan routing on the layer 3 switch or on the ASA. This would make a difference in what you configure. My suggestion would be to do inter vlan routing on the layer 3 switch and just pass traffic to the ASA that needs access to outside. If you do inter vlan routing on the layer 3 switch then you would want to make the connection from the switch to ASA as an access port with a separate vlan. If you want to do inter vlan routing on ASA then the switch connection needs to be a trunk.

If you choose to do WCCP the WSA should be on the same vlan as the inside interface.

Yes the default route for the switch should use the ASA inside interface IP address as the next hop.

I do not understand your question about another zone. Can you provide clarification?

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎11-17-2016

You tell us about two ASA5512 with FP services but you do not tell us whether these will be configured and operate as a failover pair or as two independent ASA. Can you clarify?

You mention the ASAs and layer 3 switches. But you do not indicate whether you intend to do the inter vlan routing on the layer 3 switch or on the ASA. This would make a difference in what you configure. My suggestion would be to do inter vlan routing on the layer 3 switch and just pass traffic to the ASA that needs access to outside. If you do inter vlan routing on the layer 3 switch then you would want to make the connection from the switch to ASA as an access port with a separate vlan. If you want to do inter vlan routing on ASA then the switch connection needs to be a trunk.

If you choose to do WCCP the WSA should be on the same vlan as the inside interface.

Yes the default route for the switch should use the ASA inside interface IP address as the next hop.

I do not understand your question about another zone. Can you provide clarification?

HTH

Rick

HTH

Rick

pr3d4t0r_gr · ‎11-18-2016

Hi Richard and thank you for you reply.

Both ASA's are on Active/Standby mode. Intervlan routing will be performed on the layer 3 switch.

So since ASA's will be on a different VLAN (both inside interface's) from the users and the servers and since i would use wccp you are saying that my WSA has to be on the same vlan as the ASA's ?

VLAN2-ASA VLAN - 192.168.1.0/24

VLAN3-USERS VLAN - 192.168.2.0/24

VLAN4-SERVERS VLAN - 192.168.3.0/24

VLAN5-MGMT VLAN - 192.168.4.0/24

Thanks.

Richard Burts · ‎11-18-2016

Thanks for confirming that the ASAs will be configured as active/standby failover pair and that routing will be done on the layer 3 switch. So both of the ASAs and the layer 3 switch would have interfaces and IP addresses in vlan 2. The ASA would have route statements for the subnets of vlans 3 and 4 and 5 with the next hop being the layer 3 switch address but would not have any active involvement in those vlans.

I need to change what I said about WCCP. With WCCP the ASA needs to use the same interface to reach users and the WSA. And in this design that would be the case. The WSA could be in the same vlan as users and not necessarily in the vlan that connects the switch and the ASAs.

HTH

Rick

HTH

Rick

pr3d4t0r_gr · ‎11-18-2016

Thank you Richard.

One more question. In case i configure another vlan for users, VLAN6 where will WSA be ?

Richard Burts · ‎11-18-2016

You had indicated that vlan 3 would be for users. Now you are suggesting that vlan 6 will be for users. I am not clear whether you are suggesting that there will be two vlans for users (both 3 and 6) or whether vlan 6 replaces vlan 3. If it is replacement then it is simple and WSA is in the new vlan for users. If both vlans will be used then you choose which one you want the WSA to be in.

HTH

Rick

HTH

Rick

pr3d4t0r_gr · ‎11-18-2016

Richard,

Let me explain.

Let's say i create the following vlan's:

VLAN2-ASA VLAN - 192.168.1.0/24

VLAN3-USERS VLAN - 192.168.2.0/24

VLAN4-SERVERS VLAN - 192.168.3.0/24

VLAN5-MGMT VLAN - 192.168.4.0/24

VLAN6-GUESTS VLAN - 192.168.5.0/24

and i want to filter all outgoing internet traffic with WSA with wccp protocol.

Where should i place WSA ?

Thank you.

Richard Burts · ‎11-18-2016

Let me begin by being clear that while I am familiar with WSA that this is not a particular area of strength for me. So there might be some in the forum who are more expert with this and might suggest something a bit different. But based on what I know about WCCP I would put it into one of the vlans on the layer 3 switch, perhaps the management vlan. The WSA certainly does not need to be directly connected to the ASA.

HTH

Rick

HTH

Rick

ASA & INTERVLAN ROUTING DESIGN