I'm looking at a topology where I have a layer 3 core switch that hosts a SVI for each vlan. I have many 'LAN' vlans where I have computers, voice, wifi etc then I have a number of DMZ vlans also with SVI's on the core switch but I want to use the ASA as a firewall between the LAN and DMZ vlans, along with the ASA being the default gateway for the network and hosting the internet connection.
Is this achievable or are there flaws to this design.
I sort of envisage it being a single trunk between the L3 switch and ASA, g1/0/1<->g1/1 and then potentially another trunk for the DMZ g1/0/2<->g1/2 with g1/3 being the internet on the ASA. Typically the DMZ subnets will be isolated however there is a core set of services required across all of them (internet DNS and authentication).
I am looking at a single ASA so no standby config considerations, its also a single core switch which makes it a tad easier.
I am looking for recommendations on simple designs that will allow me to firewall off the LAN from DMZ, the DMZs from each other and also NAT out to the internet and VPN endpoints.
Thanks in advance,
Yes you can do for instance a routed port on your core with a /30 subnet and connect the other end to the ASDA as inside network. then default gateway on the coreswitch is the inside IP of the ASA's IP in the /30.
for your DMZ create a vlan, say 999 calll it DMZ. do not put an IP address on the core switch in this VLAN. connect the core to the ASA;s DMZ physical interface (leaving it in vlan 999). put an IP address in the DMZ interface iof the ASA and use it as the default GW for all DMZ machines.
It sounds like you have an 'inside' network consisting of various VLANs that terminate on a core L3 switch. I assume these are all the same 'security level' therefore no filtering between them? You then also have some DMZ VLANs that currently terminate on the same L3 core switch but you want to put a firewall between them that also provides your Internet access?
Depending on your DMZ requirements then I would either just terminate the DMZ VLANs on sub-interfaces on the ASA (using a 802.1q trunk on the switch connecting to the ASA). You can then apply security policy & NAT between your inside network and each DMZ and the Internet connection.
If your DMZ's are the same security level (unlikely?) you could deploy VRF-lite on the core switch and have the ASA act as the 'inter-VRF' router.
I'd be concerned over it being a single ASA and a single core switch TBH.