Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Interfaces best practice

Hi,

on an ASA (8.4) should the Servers such as Active Directory be behind the same interface as the Office Network pc's and than seperated on different VLAN's ? (Or split-up and behind different ASA interfaces?)

In a basic setup I believe that only 3 interfaces are enough (inside, DMZ, outside). This would mean that the Servers (excluding front end servers which would be in DMZ) will be behind the inside interface along end users computers. 

Let me know any suggesstions/best practices even by linking documentation so that I configure these 3 interfaces correctly in terms of security levels and access.

 

thanks

 

 

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

Depending on the size of the

Depending on the size of the network, I've seen most companies use a different VLAN for their users and for their servers, but they both live on the "inside" interface of the firewall.  Front-end web-facing servers typically live in the DMZ.  Unless there is an explicit reason to route your user traffic destined for your servers through a firewall (sometimes, PCI or other regulations are the case) then  you should not need any more interfaces than the 3 you mentioned.

So:
Inside security level = 100
DMZ security level = 50
Outside security level = 0

 

Setup NAT and access-lists accordingly.

3 REPLIES

Depending on the size of the

Depending on the size of the network, I've seen most companies use a different VLAN for their users and for their servers, but they both live on the "inside" interface of the firewall.  Front-end web-facing servers typically live in the DMZ.  Unless there is an explicit reason to route your user traffic destined for your servers through a firewall (sometimes, PCI or other regulations are the case) then  you should not need any more interfaces than the 3 you mentioned.

So:
Inside security level = 100
DMZ security level = 50
Outside security level = 0

 

Setup NAT and access-lists accordingly.

New Member

Great yes in fact I want to

Great yes in fact I want to simulate a network as much as possible to a real corporate one. In fact I forgot to mention the management side where management servers are used to manage the network - are these also to go behind the inside interface and again on a seperate VLAN ?

 

Thanks

Yes, usually people have a

Yes, usually people have a separate management network (VLAN) for their switches, server KVM management interfaces, etc.  Again, it all depends on how big the network is.  If it's a 10-PC and 1-2 server network with one switch, it may be a little overkill to segment it that much.

106
Views
0
Helpful
3
Replies
This widget could not be displayed.