Solved: Replacing SonicWall Pro 3060 with ASA5550 - Routing between LANs

pgmanno · ‎12-19-2011

Hello,

I'm in need of a bit of help here. I'm decommissioning my SonicWall PRO 3060 and upgrading to an ASA5550 (we're increasing our WAN link speed to 1Gig and need the 5550). In any case, I want to copy over the configuration from the PRO to the ASA. I have everything documented and I've started doing the changeover, but in looking at some other network diagrams on the net I'm seeing router symbols between the LAN switches and the ASA and I'm beginning to worry that I might need routers to do this which, of course, would increase cost quite a bit.

So my question is this: If I have a core switch carved into multiple VLANs and I connect each VLAN to a port on the ASA, will I be able to route and filter traffic from VLAN to VLAN through the ASA? If so how, in general, is this accomplished (I'm betting ACLs). I think that the ASA will be able to do this easily, but I just want to be sure before I get too far into the configuration of this unit. The sooner I know if I have the wrong box for this, the better.

Thank you in advance for any help/advice.

Paul

ASA

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

GigE0/0 GigE0/1 GigE0/2 GigE0/3 GigE1/0 GigE1/1 GigE1/2 GigE1/3

| | | | | | | |

WAN BackupWAN VLAN400 VLAN500 VLAN600 VLAN700

Reza Sharifi · ‎12-19-2011

Hi,

Yes, it will route traffic from interface to interface. If you need high bandwidth throughput to transport files from one port to another, firewall is not the right product. You need a small switch like a 3560, 3750, etc... to do this for you. These switches can do both layer-2 and layer-2 with much higher throughput.

HTH

View solution in original post

Reza Sharifi · ‎12-19-2011

Hi Paul,

You don't need to connect each vlan to a separate physical port. You can simply connect your core switch to the firewall using one port. Then you trunk (802.1q tagging) each side of the connection and use sub-interfaces for each vlan. This way you don't have to waste all your physical port and they can be used in the feature for other needs. So, one physical interface with multiple sub-interface and 802.1q tagging.

See this link for config example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576

HTH

pgmanno · ‎12-19-2011

Hi,

Thanks for the reply. Yes, I realize I could trunk and use fewer ports but I'm in a high-bandwidth situation where I'm worried that a single interface would get saturated with traffic (I'm in a film production house and we're transporting uncompressed 4k resolution files from interface to interface). Will the ASA route traffic from interface to interface?

Thanks,

Paul

Reza Sharifi · ‎12-19-2011

Hi,

Yes, it will route traffic from interface to interface. If you need high bandwidth throughput to transport files from one port to another, firewall is not the right product. You need a small switch like a 3560, 3750, etc... to do this for you. These switches can do both layer-2 and layer-2 with much higher throughput.

HTH

pgmanno · ‎12-19-2011

Hi again Reza,

Thank you once again for your reply. Yes, I realize that switching is the way to go, but I'm going to be having things move all over. Most clients will be switched to one another, and the traffic will not flow through the FW; however, some traffic will originate in the WAN, flowing in, and some will originate in one or more of the LANs flowing out and between. There is no way around it.

Thank you for your answer. I figured the ASA would route traffic through, I just started to get concerned when I saw diagrams with routers in there.

All the best,

Paul