cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
374
Views
5
Helpful
1
Replies

Multiple 'security zones' - ASA and Catalyst 3750G

Hello,

I have an ASA 5505 with the security plus licence and a catalyst 3750G. I'm fairly new to this so please bare with me.

I want to setup a network with multiple VLANs, some of which can communicate freely with each other, some of which which can only communicate over certain ports/protocols, and some of which cannot communicate with each other. For example, lets say I want the following:
VLAN 4 - 192.168.4.0/24
VLAN 5 - 192.168.5.0/24
VLAN 10  - 192.168.10.0/24
VLAN 11 - 192.168.11.0/24
VLAN 100 - 192.168.100.0/24

VLANs 4,5 are completely open to each other
VLANs 10,11 are completely open to each other
VLANs 4,5 CANNOT reach VLANs 10,11 and vice versa
VLANs 4,5,10,11 can hit VLAN 100 over say 445-tcp

I know that I can just leave the 3750 in L2 and set all the default gw's to the ASA - but my understanding is this is very inefficient. I also know that I can just create all VLANs on the switch, enable IP routing, use ACLs and use a trunk port to the ASA's 'inside' interface for internet access - but my understanding is this isn't very secure.

Therefore, is there a way to create for the lack of better words multiple inter-vlan "zones" on the switch so that ACLs can be created/controlled on the ASA, but at the same time not have all traffic routed by the ASA?

Can this be accomplished? Does it make sense?

When doing some googling, the idea of VRF and SVI seemed to crop up - but I don't completely understand if this is correct, nor how to configure it.

If so, I would be much obliged if someone could provide configuration examples for both devices!!!

Kind Regards,
Robert

1 Reply 1

Boris Uskov
Level 4
Level 4

Hello, Robert.

It is impossible to control traffic by ASA without redirecting traffic to ASA. So, if you want to control traffic on ASA, you have to create subinterfaces on ASA, which will be the default gateways for your internal networks.

But you are absolutaly correct, saying, that it is inefficiant.

For my point of view, in your case the best way is to enable ip routing on 3750 and configure ACLs. I think it is enough secure decision for your task.

If you would have a task, for example, to provide access from vlan 4 to vlan 5, but to restrict access from vlan 5 to vlan 4, you need to use ASA for this. In other words, if traffic is originated from vlan 4 to vlan 5, the responding packets from vlan 5 to vlan 4 should be permitted dynamic (firewall functionality). But if traffic is originated from vlan 5 to vlan 4, such packets should be dropped. But, if I understand your task correct, you don't have such task, so ACLs on 3750 would be enough for security.

 

And one more thing. If you are planning to make some resources from your internal network available from the Internet, you should move those resources to a separate Vlan, called DMZ. And for this Vlan you should use ASA as default gateway and restrict the access from this Vlan to other internal networks by ASA as firewall.