I have a Cisco ASA 5505 with security plus license. I have been tasked with setting up a sg-300 in layer 3 mode to handle the inter-vlan routing instead of the asa. I'm new to cisco, I cut my teeth on Brocade and foundry and the ASA is a beast on its on. So far I have inter-vlan routing working on the switch but need advice on the asa to sg300 connection. Currently I have the asa with interfaces(inside,outside,) looking to dmz later a pass through to the sg300. My question is how should the connection to asa to sg300 be handled.
Thanks for the clarification that devices connected to SG do successfully access the Internet. So the default gateway appears to be the correct approach on the SG (quite different from the IOS routers and switch with which I am more familiar)
Have you removed the address translation command as I suggested?
Yes the sg300 is like a IOS-Lite... not sure if that is real but it is a stripped down version of what would be on a catalyst switch or IOS based router. Yes now the vpn is working like intended. Next question is for the dmz should I just create dmz vlan on the sg300 and just use acls on the switch to lock down the vlan.
Glad to hear that now the VPN is working. So that leaves the DMZ and some cleanup to be done. Part of the DMZ will be easy. On the switch have a DMZ vlan (layer 2). Assign a SG port to that vlan and connect that access port to an interface on the ASA. Assign other ports on SG in the DMZ vlan for device connection as needed. On the ASA interface configure the interface for DMZ (IP address, security level, and configure whatever security policies you need for the DMZ.
Enforcing separation of DMZ from users will be a bit more challenging. If we had an IOS device we could possibly use something like VRF lite or like Policy Based Routing to restrict user access to the DMZ and control access from DMZ to users. I doubt that things like that are available on SG. The ASA will be the better place to enforce restrictions for access to DMZ resources. We can do that by not allowing the SG to route between user subnets and the DMZ. You can accomplish this by not configuring an SVI for the DMZ vlan on the SG. The SG might have a route for the subnet of DMZ (similar to the route that you have for VPN subnet) or it might be sufficient for the SG to use the default route. Anyway when a user wants to access the DMZ we need the SG to use the ASA as the next hop to access the DMZ. And if any device in DMZ wants to access inside subnets we need that device to send its traffic using the ASA rather than routing directly between DMZ and user subnets.
It is tempting to think about configuring access lists etc on the SG to enforce security. But that really would be pretty difficult and might not work so well. I believe that not having an SVI for DMZ on SG will be a more effective solution.
When my vpn session is active I am showing that the tunnel is inactive on the client. I'm using cisco vpn client. VPN works and I can ping and remote desktop into host. Should this be a concern?
If you are able to make connections through the VPN and to pass traffic through it then I would not think that this is a concern.