10-17-2017 06:50 AM - edited 02-21-2020 06:30 AM
I have an established network for security equipment with an ASA5506-X and a SG500 in Layer 3 Mode. All other layer 2 switches and devices (IP cameras, card readers, etc) are pointing to the SG500 as their default gateway. The SG500 is performing all the inter-VLAN routing. The ASA is in transparent mode and acting strictly as a firewall, providing limited internet connectivity only to those devices which need it. The customer wants to make a connection between our network and their LAN to allow for the use of a mobile app from their internal WLAN to one of the security devices. What is the best way to accomplish this? Should I run it through the ASA? From what I've read, to do that I would have to change the ASA to routed mode. How much would that change the operation of the ASA and the network? Can a ASA in routed mode co-exist peacefully with a SG500 in Layer 3 mode? Or, should I make the connection on the SG500 assigning a separate VLAN and use ACLs to restrict the traffic? Which provides more security?
Solved! Go to Solution.
10-17-2017 07:40 AM
Hi
Sorry I don't get your point when saying "The customer wants to make a connection between our network and their LAN to allow for the use of a mobile app from their internal WLAN to one of the security devices."
Anyway, this network you're talking about is on the outside zone of ASA. You can create the SVI on your SG500 and assign an ACL or you can move it on ASA that will be secure. I mean, if we take a small example, if an attack is performed on that subnet it will impact the ASA and not your production users connected to SG500. ASA is a more robust security solution compare to SG500 that's just a switch... I don't have exactly all your needs, requirements but for me it would be better to move it on the asa.
Now, as you said, you'll need to change the ASA mode in routed due to this new network with new subnet. This will work fine with your SG500 but some changes are needed:
Basically, changes that will be done by moving ASA in routed mode will be all the routing stuff, but no so complex.
10-17-2017 07:40 AM
Hi
Sorry I don't get your point when saying "The customer wants to make a connection between our network and their LAN to allow for the use of a mobile app from their internal WLAN to one of the security devices."
Anyway, this network you're talking about is on the outside zone of ASA. You can create the SVI on your SG500 and assign an ACL or you can move it on ASA that will be secure. I mean, if we take a small example, if an attack is performed on that subnet it will impact the ASA and not your production users connected to SG500. ASA is a more robust security solution compare to SG500 that's just a switch... I don't have exactly all your needs, requirements but for me it would be better to move it on the asa.
Now, as you said, you'll need to change the ASA mode in routed due to this new network with new subnet. This will work fine with your SG500 but some changes are needed:
Basically, changes that will be done by moving ASA in routed mode will be all the routing stuff, but no so complex.
10-17-2017 08:22 AM
Francesco - Thanks for the quick reply! I agree that it would be better to make the connection on the ASA. The more secure, the better! I understand the changes you specified. Allow me to clarify the network design a little more:
So by changing the ASA to routed mode, will I need to make any configuration change to the SG500 or the ASA?
When I add the connection from the client's LAN to the ASA, would it be best for me to give that interface a lower security level than the ASA's inside interface? I would assume so.
10-17-2017 08:25 AM
Hi
Except the routing stuff and acl assigned to the right interface, nothing else changes.
Now the inside will have security-level of 100, outside will be 0 and this new network can be anything lower than 100 and higher than 50 if you want to be less secure than the lan. Then the answer if yes, lower security than inside interface
10-17-2017 08:19 AM - edited 10-17-2017 08:20 AM
Outside <--ASA---> Inside ------------------> SG500 (l3) ----------------------LAN
(192.168.1.1) (Vlan1 192.168.1.2) Vlan 10, Vlan11( ACL)
(default route 192.168.1.1)
Having SG500 in L3 mode give the flexibility to add multiple Vlans when required and route it to ASA using the default route. Most of the ACL could be controlled on the switch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide