Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
816
Views
0
Helpful
3
Replies

ASA and L3 switch help

The.Sorrow
Level 1
Level 1

‎03-12-2012 10:54 AM - edited ‎03-11-2019 03:41 PM

So i got my hands on a Cisco Adaptive Security Appliance 5505. Nifty little toy I'm trying out, just need some config ideas. What i want to do is set up the ASA as my main gateway to the inter-webs, just not sure how I'm gonna do it. I currently have a pfSense firewall which acts as a perimeter firewall and routes between my four different subnets which are:

10.10.0.0/24 - LAN

10.20.0.0/24 - DMZ

10.30.0.0/24 - Private Wifi

10.40.0.0/24 - Public Wifi

I currently have the DMZ and LAN networks set as vlans on my 3560 switch. No inter-vlan routing or anything crazy (pfSense handles that). I have a couple ideas on how to do this, just wanted to know which one is the best, or if you guys have any better directions.

Idea 1:

http://img99.imageshack.us/img99/8306/plan1z.png

Pretty simple, the way i assume this would work is the ASA would act as my pfSense firewall does. Only thing is i don't think ASAs can do inter-vlan routing or anything else like that. I know that with access lists configured i can trunk the Wifi port and allow only private wifi between vlans, but I'm not sure if the ASA will hold the default gateway IPs or if the switch will be the default gateway and have static routes to the ASA for addresses outside the network. The ports on the switch will be given vlan access depending on the device that is on said port.

Idea 2:

http://img829.imageshack.us/img829/4706/plan2o.png

This one feels kind of Router-on-a-stick level... the switch holds all the inter-vlan routing with EIGRP and access controls will also be the sole responsibility of the switch. Only problem is i cant see how to make NAT and a DMZ work with this idea.

So can a guru please give me a direction to go? I really want to implement this ASA!!!

Labels:
0 Helpful
3 Replies 3

mirober2
Cisco Employee
Cisco Employee

‎03-24-2012 09:03 AM

Hello,

I would recommend idea 1 as it will be much simpler to implement and troubleshoot. The ASA can certainly do inter-VLAN routing. You would set the firewall's IPs as the default gateways for your hosts, and the 3560 would be strictly layer 2.

Idea 2 is certainly valid, but would require that packets enter and leave the firewall on the same VLAN interface. This is possible but makes the configuration more complicated.

-Mike

0 Helpful

patrick.preuss
Level 1
Level 1
In response to mirober2

‎03-24-2012 02:01 PM

Hi

would also vote for idea 1. it is a little overkill to use a 3650 then but ok :-)

-Patrick

0 Helpful

The.Sorrow
Level 1
Level 1

‎03-24-2012 02:24 PM

This conficuration was what I wound up designing. I have a default route to the LAN interface (inside) on the ASA and im trying to use Policy Based Routing to forward outbound traffic on the DMZ to the DMZ interface on the ASA. I also have seperate VLANs for my Public and Private wifi. I'll post a show run from my switch and ASA if that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card