Re: ASA Configuration Best Practices

shannondhamilton · ‎11-09-2017

Building home lab, and currently running router on a stick. I am able to access internet from both router and switch.

INET -- ISP MODEM -- ISP ROUTER -- CISCO 2851 ROUTER -- 3750 SWITCH -- ASA 5510 FIREWALL

I realize that my firewall is not in the ideal spot currently. but it is my understanding that because the rest of the network is allowing traffic to internet, that once I configure the firewall properly, I should be able to ping out from it as well. I do understand that additional configuration will be needed to point the existing routers and switches to the appropriate next hop, etc. Even though this is a home lab, I am treating it as production, for the learning experience.

My current goal is to perform as much configuration as possible, plan the migration of moving the firewall, and implement. I am still undecided as to which config is better considering the equipment that I have:

ISP ROUTER -- ASA5510 -- CISCO 2851 ROUTER -- 3750 SWITCH

or

ISP ROUTER -- 3750 SWITCH (via VLAN) --ASA5510 -- CISCO 2851 ROUTER -- 3750 SWITCH

I do have 2 3750 switches, but prefer to use a vlan, no sense in wasting a 52 port switch for this purpose...

What would you do? I see many people putting a router between the ISP router and firewall...

Thoughts?

Also, I read that ACLs may not be the preferred way to get the ASA5510 connected to the internet, so just configure some routes?

Any advice is appreciated.

Thanks!

Jon Marshall · ‎11-10-2017

It really depends on exactly what you are trying to emulate.

Putting aside the router outside the firewall for a moment I understand you are using routing on a stick but if you really want to emulate a production network you would be better routing all traffic between vlans on your 3750 switch and then connecting the firewall directly to that switch ie. the router really serves no real purpose with the equipment you have.

You could then if you wanted place this router between the ISP modem and your firewall, or you can simply connect the modem directly to your firewall, I have seen it done both ways.

As for whether to use a switch between the ISP and your router and/or firewall it depends if you have any devices you want to sit on that subnet.

I'm guessing you don't so again entirely up to you.

Jon

shannondhamilton · ‎11-10-2017

Ok, let me me make sure I understand your recommendation… Instead of creating the sub-interfaces on the router, use the L3 switch for routing and move away from Router on a stick. Because I would be using the switch as a router, the router I have isn’t needed. Correct?

I am currently working with about 10 vlans, so those would be created on the switch, not on the router?

In this situation, would the switch become the default gateway and gateway of last resort for each of the vlans? IM guessing the vlan would use an interface on the switch for each of the vlans?

Jon Marshall · ‎11-10-2017

Correct and you are more likely to come across this setup in a production network (at least from my experience).

Also worth pointing out that L3 switches have much better performance in terms of throughput than an equivalent router which is why you use them for internal routing.

On the switch you would create an SVI (Switched Virtual Interface) per vlan eg.

int vlan x
ip address x.x.x.x <subnet mask>
no shut

and the IP address is the default gateway for clients in that vlan.

Jon

shannondhamilton · ‎11-10-2017

Ok, that is good info. As a matter of fact, one of the companies I work with is looking to break router on a stick to go with the model you are recommending.

It sounds like it is possible and not that difficult to migrate each router on a stick vlan to the non- router on a stick vlan. Correct? Each vland would be migrated from the router to the switch…

Routing would then occur at the switch level, without need for router. Am I following?

Jon Marshall · ‎11-10-2017

Yes all routing between vlans would be done on the 3750 switch and then on the 3750 switch there would be a default route pointing to the firewall.

On the firewall you would have routes for the subnets on the 3750.

Or you can run a dynamic routing protocol between the 3750 and the firewall depending on the feature set on your 3750s.

Jon

shannondhamilton · ‎11-12-2017

Thanks Jon, I think I understand. Let me recap in my own words to ensure that I am on the same page.

Routing would be performed at the switch level instead of going up to the router and coming back down utilizing the trunk port created for Router on a stick.

The routes on the firewall would be just for allowing internet facing traffic to get routed to the proper subnet, and outbound traffic. Correct?

Is it possible to start migrating my existing subnets one at a time without breaking router on a stick? Is that complicated?

Im going to avoid the dynamic routing for now, get a solid understanding of the static routes then start playing with the dynamic features, assuming my equipment supports it.

Thanks for all of your expertise. Greatly appreciated!

Shannon

Jon Marshall · ‎11-12-2017

The routes on the firewall are so the firewall knows how to reach the subnets routed on the switch.

You could migrate one at a time if you wanted, not too complicated.

If you decide to do that then create a new vlan between the switch and router purely for routing between them.

Jon

shannondhamilton · ‎11-12-2017

the only device that I would have between the isp modem and the firewall would be a web server, but I would want that behind the firewall, so I think it makes sense to connect the firewall directly to the tsp modem. What kind of devices do you see connected between an ISP modem and firewall? Seems no point as its unprotected.