Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
2
Replies

Introducing ASA firewall to controll traffic between VLANs

n_parshina
Level 1
Level 1

‎05-30-2011 02:37 AM - edited ‎03-11-2019 01:39 PM

I was advised to repost this subject here, so giving it a try:

Hello!

Although I've seen similar discussions, I'd like to request help in my particular scenario.

We have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.

The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.

The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.

Could someone, please, explain and advice?

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

zujalal
Cisco Employee
Cisco Employee

‎05-30-2011 12:13 PM

It is a common practice to have internal firewalling for servers especially if they belong to different customers or projects as in your case. I would suggest going for multiple contexts. Move the default gateways of the servers from the BSD server to interfaces/subinterfaces on the ASA. In case of multiple contexts, you would have to cater to the possibility of routing traffic between the contexts (if there is a need for two contexts to talk to each other). This can be done via a L3 device or a directly shared interface between the contexts. Doing it via a L3 device is much more simpler. So every context would have the inside interface (the actual VLAN) and an outside interface (the shared interface towards the L3 device, although you can use dedicated VLAN interfaces as well).

0 Helpful

n_parshina
Level 1
Level 1
In response to zujalal

‎08-18-2011 08:49 AM

Hi

I apologise for taking the longest time to reply

Thank you for your suggestions. We've played around with it a bit and realized that it seems somewhat impractical - almost all of our projects (contexts) need to talk to each other. The traffic, though, should be limited and only on certain ports and certain hosts.

When trying to create a context for several projects we found it hard to implement the logic of inside/outside, since, say, 20 subnets all interact with each other.

The only thing we came up with is having each subnet as an "inside" network, and the "outside" for all would be a common subnet going to a router, for example. It would serve as a medium for all communication between projects.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card