Help with networking design with Cisco ASA 5508

OctavioRocha · ‎01-03-2019

Hi everyone.

I'm setting an ASA5508 to control my office network, as follows:

2 public IPs from my ISP connection link

ASA5508 will handle with all the traffic, from Internet to LAN, and LAN to Internet.

A management subnet for printers, Voip, and so on.

Operations works with notebooks connected with Cisco Aironet 3800, and have a vLan (HQ10, HQ20, HQ30, HQ40) for each department, these Vlans can't communicate each other, but all of them need to access the management subnet for printers and other resources.

The subnet for vlan 40 is for guest wifi (mobile, tablets), and must not access any other subnets.

I'm attaching a diagram with my intended topology for clarifying things.

Can anyone take a look on my design and help me? These trunk ports are really needed, or ASA can handle with this topology and settings proposed with other ways?

Andrew Khalil · ‎01-04-2019

Hello OctavioRocha,

Greetings,

Actually I haven't this problem but I have pressed that bottom with mistake during reading!

Anyway, can you please let me know what switches are you using? so that we can understand the hardware limitation or even features supported that we can put it in account during designing.

Bst Rgds,

Andrew Khalil

OctavioRocha · ‎01-07-2019

Hi Andrew, thank you for your reply.

Well, unfortunately I wouldn't be able to do much with theses switches, since they are two old 50 ports 3Com 2250 (10/100 + 2 1000).

My requirements are quite simple, I just need to pass traffic and assure that all Wifi will be available for connections in each sector with your vLan (HQ10, 20, an so on).

Thanks a lot.

Andrew Khalil · ‎01-07-2019

Hello @OctavioRocha,

According to what I have understood, you have these vlans:

1- for departments:

Vlan 10

Vlan 20

Vlan 30

Vlan 40

2- for management:

Vlan XX

3- for guests:

Vlan YY

And you would like to:

1- allow all department vlans to access the mangement vlan and Internet.

2- not to allow all department vlans to access each other.

3- allow guest vlan to access only internet.

If so, please confirm!

Bst Rgds,

Andrew Khalil

OctavioRocha · ‎01-14-2019

Hi, Andrew.

Yes, you are correct, that's exactly what I want to do.

Seb Rupik · ‎01-05-2019

Hi there,
What you propose is fine. The only tweak I would make your topology is to run port-channels between both switches and between SW2 and the ASA. This is especially important for the inter-VLAN (albeit only between the HQ and management VLANs) traffic which will be going up and down that single 1Gb link. A 2Gb port-channel may mitigate future congestion.

What model switches are SW1 and SW2? Are they multi-layer switches?
I personally would be tempted to move the routing for the internal VLANs (except for guest wifi) onto one of these switches. You will get superior performance if one of these devices does the inter-VLAN routing. Also since your inter-VLAN security requirements are very simple the stateless ACLs provided by the switch will be easy to configure.

Let us know the model of SW1 and SW2 and we can look at a bit of topology tweaking.

cheers,
Seb.

paul driver · ‎01-06-2019

Hello

i would agree with @Seb Rupik that is if the switches are of a decent specification then have them perform the inter-vlan routing and if applicable have two ASA in HA mode with dual connection to/from the core switch(s)

At present your current topology is open to single points of failure from the asa and the switch connected to the asa

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

OctavioRocha · ‎01-16-2019

Hi Seb,

These switches are two old 3Com 10/100 +2p 1000, so I will just tag the vLANs on it and nothing else, I intend to control all the traffic with ASA.

In my latest test, I was able to set the vLANs and make all of them connect and reach the ASA sub-interface IP address for each one.

My problem is the Internet connection, only the HQ10 (vLAN 10 - interface Gi1/2.10) wifi is reaching the Internet, the others (HQ20, 30, 40 - vLANs 20, 30, 40 - Gi1/2.20, Gi1/2.30, Gi1/2.40 respectively) reach the ASA sub-interface IP but not the Internet.

I can attach my ASA configuration file here, for you to analize, if is any helpful, please let me know if you agree and I'll do that.

I appreciate any help.

Thanks for your attention.

Seb Rupik · ‎01-16-2019

Can you try attaching the ASA config again.

OctavioRocha · ‎01-16-2019

Hi Seb,

Here is the ASA running configuration.

I ommited some of the information, because there's public IPs and names of my clients in VPN ipsec sessions, but the rest of the file is exactly what is configurated in my ASA device.

If there's any doubt, please let me know so I can clarify.

And once again, thank you for your attention.

Seb Rupik · ‎01-16-2019

Hi there,

Ca you run the following commands from the CLI and share the output:

packet-tracer input operaco tcp 192.168.70.2 45000 8.8.8.8 80 det

packet-tracer input IoT tcp 192.168.3.4 45000 8.8.8.8 80 det

cheers

Seb.

OctavioRocha · ‎02-12-2019

Hi people.

After a while I was able to solve my problems here. There was a trunk error in my swicthes, after solving this everything worked fine.

Thanks for all your insights.