Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA for internet edge and internal zones

Hi,

Has anyone used a pair of ASA 5520s in HA to firewall the internet edge and to firewall traffic between internal security zones such as web and application layers? If so, is this best done using different security levels or contexts?

I'm thinking of using a routed context for securing the internet edge and then using seperate contexts for the web and application networks. Conexts will route via a L3 switch.

Thanks,

3 REPLIES
Red

ASA for internet edge and internal zones

Hi,

Yes you can use the firewall in either route context mode or routed single mode, in either ways you can manage your web and application networks properly. The best utilization of context mode is when you have multiple ISP's terminating for different customers or networks on the ASA, so that you keep them seperate from easchother. But that all depends on the requirement. Using different security-levels would also work for you. That shoudl not be an issue.

Hope that helps

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA for internet edge and internal zones

Thanks Varun

I will probably configure the ASA in routed single mode and use security levels between the different zones. There is only 1 ISP in this enviroment and I also need to support VPN termination on the internet edge.

In terms of sizing, the internet connection will be 300Mbps and the firewall throughput between zones needs to be above 500Mbps. I'm just thinking that the 5520 in active/standby will handle the internet bandwidth requirements but not the inter-zone requirements. Which model of ASA will be a good fit here?

Thank you.

Red

ASA for internet edge and internal zones

Hi Will,

Not really can suggest you a particular device, because you can be teh best judge for it, but yes, you can go through the datasheet below and try and match up your requirements with it:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Hope that helps

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
257
Views
0
Helpful
3
Replies
CreatePlease login to create content