So i got my hands on a Cisco Adaptive Security Appliance 5505. Nifty little toy I'm trying out, just need some config ideas. What i want to do is set up the ASA as my main gateway to the inter-webs, just not sure how I'm gonna do it. I currently have a pfSense firewall which acts as a perimeter firewall and routes between my four different subnets which are:
10.10.0.0/24 - LAN
10.20.0.0/24 - DMZ
10.30.0.0/24 - Private Wifi
10.40.0.0/24 - Public Wifi
I currently have the DMZ and LAN networks set as vlans on my 3560 switch. No inter-vlan routing or anything crazy (pfSense handles that). I have a couple ideas on how to do this, just wanted to know which one is the best, or if you guys have any better directions.
Pretty simple, the way i assume this would work is the ASA would act as my pfSense firewall does. Only thing is i don't think ASAs can do inter-vlan routing or anything else like that. I know that with access lists configured i can trunk the Wifi port and allow only private wifi between vlans, but I'm not sure if the ASA will hold the default gateway IPs or if the switch will be the default gateway and have static routes to the ASA for addresses outside the network. The ports on the switch will be given vlan access depending on the device that is on said port.
This one feels kind of Router-on-a-stick level... the switch holds all the inter-vlan routing with EIGRP and access controls will also be the sole responsibility of the switch. Only problem is i cant see how to make NAT and a DMZ work with this idea.
So can a guru please give me a direction to go? I really want to implement this ASA!!!
I would recommend idea 1 as it will be much simpler to implement and troubleshoot. The ASA can certainly do inter-VLAN routing. You would set the firewall's IPs as the default gateways for your hosts, and the 3560 would be strictly layer 2.
Idea 2 is certainly valid, but would require that packets enter and leave the firewall on the same VLAN interface. This is possible but makes the configuration more complicated.
This conficuration was what I wound up designing. I have a default route to the LAN interface (inside) on the ASA and im trying to use Policy Based Routing to forward outbound traffic on the DMZ to the DMZ interface on the ASA. I also have seperate VLANs for my Public and Private wifi. I'll post a show run from my switch and ASA if that helps.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...