Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
0
Helpful
2
Replies

ASA Config - 2 internal networks

Ben Sebborn
Level 1
Level 1

‎02-29-2012 04:24 AM - edited ‎03-11-2019 03:36 PM

Hi

We have a small business office, but due to PCI compliance we need to segment this into two internet networks (one 'compliant' and one for any other devices to use).

We currently have a Draytek modem/wan load balancer which also has firewalling but this is very basic and doesn't support seperate security policies on each vlan.

As such, I have just purchased an ASA 5505 and would like some pointers to setting things up:

VLANS:

1) Outside (draytek)

2) InsidePci (our secure zone, contains a windows domain controler/dhcp/etc)

3) Inside (just a regular network that just has internet access and no connection to vlan 2)

Questions:

1) At the moment everything is on one subnet 192.168.2.x. The draytek has a static IP and everything else is allocated an IP from our Windows DHCP Server. As this windows server will be within the 'insidepci' network I was planning to have this vlan continue to use that, and the regular 'inside' network using DHCP from the ASA. Is that possible?

2) Do I need to put the draytek on it's own subnet (so just the draytek is on say 192.168.3.x) as it seems I cant allocate an IP in the same range to two different VLANs.

3) From looking at one of the online guides, it seems I would then need an internal router? I wasn't aware of this, I was hoping I could just assign one switch to the 'inside' VLAN and a seperate switch to the 'insidepci' vlan? There isn't a need to communicate between these VLANS but both need to be able to access 'outside' (draytek gateway)

Many thanks for your help

Labels:
0 Helpful
2 Replies 2

Ben Sebborn
Level 1
Level 1

‎02-29-2012 01:39 PM

Can anyone offer any advice/pointers?


Cheers

0 Helpful

rizwanr74
Level 7
Level 7
In response to Ben Sebborn

‎02-29-2012 08:33 PM

" was planning to have this vlan continue to use that, and the regular 'inside' network using DHCP from the ASA. Is that possible?" Yes.

2) Do I need to put the draytek on it's own subnet (so just the draytek is on say 192.168.3.x) as it seems I cant allocate an IP in the same range to two different VLANs.  No you put the drayteck modem in the bridge mode, just to funtion as plane old modem, and then you create pppoe authenction of the your new ASA5505, authenticate for connection from your local ISP.

3) From looking at one of the online guides, it seems I would then need an internal router? No, you do not need a router, but a layer3 switch will be able to do intervlan routing.  Something like, Cisco 3560, if you choose to access in between "InsidePci" and "vlan 2" however if you do not wish to access in between these two vlans, then you can get away with something simple as 2950 layer2 switch flat.

could just assign one switch to the 'inside' VLAN and a seperate switch to the 'insidepci' vlan? Yes you can, however with cisco switch such as 2950 layer2 switch, you can create two different layer2 vlans for each segment and those two layer2 vlans will not be able access in between them.

I hope these answers your question.

Thanks

Rizwan Rafeek.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card