Cisco L3 Switch and ASA between vlans

LordBoBCUP · ‎11-22-2018

Hi,

I'm looking at a topology where I have a layer 3 core switch that hosts a SVI for each vlan. I have many 'LAN' vlans where I have computers, voice, wifi etc then I have a number of DMZ vlans also with SVI's on the core switch but I want to use the ASA as a firewall between the LAN and DMZ vlans, along with the ASA being the default gateway for the network and hosting the internet connection.

Is this achievable or are there flaws to this design.

I sort of envisage it being a single trunk between the L3 switch and ASA, g1/0/1<->g1/1 and then potentially another trunk for the DMZ g1/0/2<->g1/2 with g1/3 being the internet on the ASA. Typically the DMZ subnets will be isolated however there is a core set of services required across all of them (internet DNS and authentication).

I am looking at a single ASA so no standby config considerations, its also a single core switch which makes it a tad easier.

I am looking for recommendations on simple designs that will allow me to firewall off the LAN from DMZ, the DMZs from each other and also NAT out to the internet and VPN endpoints.

Thanks in advance,

Alex

Dennis Mink · ‎11-22-2018

Yes you can do for instance a routed port on your core with a /30 subnet and connect the other end to the ASDA as inside network. then default gateway on the coreswitch is the inside IP of the ASA's IP in the /30.

for your DMZ create a vlan, say 999 calll it DMZ. do not put an IP address on the core switch in this VLAN. connect the core to the ASA;s DMZ physical interface (leaving it in vlan 999). put an IP address in the DMZ interface iof the ASA and use it as the default GW for all DMZ machines.

Please remember to rate useful posts, by clicking on the stars below.

Steven Williams · ‎11-24-2018

Normally you would create a Layer 2 port-channel from the core to the ASA and run sub-interfaces on the port-channel and make them your default gateways for the networks downstream, but you better make sure your firewall can handle this. Your other option is to make whats called "egress networks". But this usually requires VRFs as if the network sits in the same routing table is known via "connected" it will never have to leave the Core. So you can break up your networks in multiple VRFs and then make Layer 3 egress networks from the core to the firewall and route there. So a network sitting inside VRF-RED, its default gateway would be the SVI of the Core, but its default route would be the ASA IP of the layer 3 egress network and then the ASA would route it to the DMZ or other networks that connect to the core.

andrew.butterworth · ‎11-25-2018

It sounds like you have an 'inside' network consisting of various VLANs that terminate on a core L3 switch. I assume these are all the same 'security level' therefore no filtering between them? You then also have some DMZ VLANs that currently terminate on the same L3 core switch but you want to put a firewall between them that also provides your Internet access?

Depending on your DMZ requirements then I would either just terminate the DMZ VLANs on sub-interfaces on the ASA (using a 802.1q trunk on the switch connecting to the ASA). You can then apply security policy & NAT between your inside network and each DMZ and the Internet connection.

If your DMZ's are the same security level (unlikely?) you could deploy VRF-lite on the core switch and have the ASA act as the 'inter-VRF' router.

I'd be concerned over it being a single ASA and a single core switch TBH.