cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1171
Views
0
Helpful
3
Replies

Basic Design Question - Firewall Router segment

Network.Support
Level 1
Level 1

I'm at a new place and have to re-do the current lan.  Small office, 80-100 users. Existing setup is flat network, no QoS, no VLANs.  I have already replaced an older PIX with a new ASA (5525x) and added a DMZ.  

I am currently trying to draw up a proposed design which currently will be single firewall, multiple VLans(user, server, voice, guest).  My question is regarding the link between core router(L3 switch, whatever) and firewall.   I'm thinking the correct setup is to have a seperate /30 subnet on the interfaces between the firewall and router as below, and then router will just have a default route of 0.0.0.0 0.0.0.0 10.1.100.2     Is this correct? 

Internet-------Firewall-(10.1.100.2/30)----------------------------(10.1.100.1/30) --Router ----(10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, etc)                 

Thanks,

3 Replies 3

Kelvin Willacey
Level 4
Level 4

That should work fine, as long as the firewall knows how to route traffic to the internal subnets.

stephen.stack
Level 4
Level 4

Your design is good. But as for the subnet between the core (router or L3 switch - switch preffered) and edge FW, i suggest something a little larger than a /30. Like a /28. You may want to add a standby FW in a few months or years, or a new WAN connection to that 'demarc' subnet' at some point. It's good practice to leave some romo for growth. Even if you dont forsee it right now.

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Hello Travis,

Design is fine, for DMZ you have to configure proper ACL according to your needs, what traffic to allow from FW to DMZ and access from with in your internal network.

Regards,

Shahzad

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: