Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
5
Helpful
4
Replies

ASA5506-X with two Internal LANs

Go to solution
IT_wrench
Level 1
Level 1

‎10-17-2017 06:50 AM - edited ‎02-21-2020 06:30 AM

I have an established network for security equipment with an ASA5506-X and a SG500 in Layer 3 Mode.  All other layer 2 switches and devices (IP cameras, card readers, etc) are pointing to the SG500 as their default gateway.  The SG500 is performing all the inter-VLAN routing.  The ASA is in transparent mode and acting strictly as a firewall, providing limited internet connectivity only to those devices which need it.  The customer wants to make a connection between our network and their LAN to allow for the use of a mobile app from their internal WLAN to one of the security devices.  What is the best way to accomplish this?  Should I run it through the ASA?  From what I've read, to do that I would have to change the ASA to routed mode.  How much would that change the operation of the ASA and the network?  Can a ASA in routed mode co-exist peacefully with a SG500 in Layer 3 mode?  Or, should I make the connection on the SG500 assigning a separate VLAN and use ACLs to restrict the traffic?  Which provides more security?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-17-2017 07:40 AM

Hi

 

Sorry I don't get your point when saying "The customer wants to make a connection between our network and their LAN to allow for the use of a mobile app from their internal WLAN to one of the security devices."

 

Anyway, this network you're talking about is on the outside zone of ASA. You can create the SVI on your SG500 and assign an ACL or you can move it on ASA that will be secure. I mean, if we take a small example, if an attack is performed on that subnet it will impact the ASA and not your production users connected to SG500. ASA is a more robust security solution compare to SG500 that's just a switch... I don't have exactly all your needs, requirements but for me it would be better to move it on the asa.

 

Now, as you said, you'll need to change the ASA mode in routed due to this new network with new subnet. This will work fine with your SG500 but some changes are needed:

  • Default route on SG500 needs to be changed. Right now, I bet it's your ISP router, tomorrow it will be your inside ASA Ip address
  • ASA will have a default route pointing to your ISP router.
  • Today, SG500 and ISP router are in the same subnet. Tomorrow, you'll have a new interconnection subnet between your ISP router and ASA.
  • All NAT can be kept on your actual ISP router or you can move them to your ASA.

 

Basically, changes that will be done by moving ASA in routed mode will be all the routing stuff, but no so complex.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-17-2017 07:40 AM

Hi

 

Sorry I don't get your point when saying "The customer wants to make a connection between our network and their LAN to allow for the use of a mobile app from their internal WLAN to one of the security devices."

 

Anyway, this network you're talking about is on the outside zone of ASA. You can create the SVI on your SG500 and assign an ACL or you can move it on ASA that will be secure. I mean, if we take a small example, if an attack is performed on that subnet it will impact the ASA and not your production users connected to SG500. ASA is a more robust security solution compare to SG500 that's just a switch... I don't have exactly all your needs, requirements but for me it would be better to move it on the asa.

 

Now, as you said, you'll need to change the ASA mode in routed due to this new network with new subnet. This will work fine with your SG500 but some changes are needed:

  • Default route on SG500 needs to be changed. Right now, I bet it's your ISP router, tomorrow it will be your inside ASA Ip address
  • ASA will have a default route pointing to your ISP router.
  • Today, SG500 and ISP router are in the same subnet. Tomorrow, you'll have a new interconnection subnet between your ISP router and ASA.
  • All NAT can be kept on your actual ISP router or you can move them to your ASA.

 

Basically, changes that will be done by moving ASA in routed mode will be all the routing stuff, but no so complex.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
IT_wrench
Level 1
Level 1
In response to Francesco Molino

‎10-17-2017 08:22 AM

Francesco - Thanks for the quick reply!  I agree that it would be better to make the connection on the ASA.  The more secure, the better!  I understand the changes you specified.  Allow me to clarify the network design a little more:

  • ASA outside interface is static WAN IP 
  • ASA default route is to ISPs router
  • SG500 default route is to ASA inside interface

So by changing the ASA to routed mode, will I need to make any configuration change to the SG500 or the ASA?

 

When I add the connection from the client's LAN to the ASA, would it be best for me to give that interface a lower security level than the ASA's inside interface?  I would assume so.  

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to IT_wrench

‎10-17-2017 08:25 AM

Hi

 

Except the routing stuff and acl assigned to the right interface, nothing else changes.

 

Now the inside will have security-level of 100, outside will be 0 and this new network can be anything lower than 100 and higher than 50 if you want to be less secure than the lan. Then the answer if yes, lower security than inside interface


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Kias
Level 1
Level 1

‎10-17-2017 08:19 AM - edited ‎10-17-2017 08:20 AM

Outside <--ASA---> Inside ------------------> SG500 (l3) ----------------------LAN

                                 (192.168.1.1)                       (Vlan1 192.168.1.2)                 Vlan 10, Vlan11( ACL)

                                                                              (default route 192.168.1.1)

 

Having SG500 in L3 mode give the flexibility to add multiple Vlans when required  and route it to ASA using the default route. Most of the ACL could be controlled on the switch.

 

Kias
Fonicom Limited
raiseaticket Malta
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card