Francesco - Thanks for the quick reply! I agree that it would be better to make the connection on the ASA. The more secure, the better! I understand the changes you specified. Allow me to clarify the network design a little more:
ASA outside interface is static WAN IP
ASA default route is to ISPs router
SG500 default route is to ASA inside interface
So by changing the ASA to routed mode, will I need to make any configuration change to the SG500 or the ASA?
When I add the connection from the client's LAN to the ASA, would it be best for me to give that interface a lower security level than the ASA's inside interface? I would assume so.
... View more
I have an established network for security equipment with an ASA5506-X and a SG500 in Layer 3 Mode. All other layer 2 switches and devices (IP cameras, card readers, etc) are pointing to the SG500 as their default gateway. The SG500 is performing all the inter-VLAN routing. The ASA is in transparent mode and acting strictly as a firewall, providing limited internet connectivity only to those devices which need it. The customer wants to make a connection between our network and their LAN to allow for the use of a mobile app from their internal WLAN to one of the security devices. What is the best way to accomplish this? Should I run it through the ASA? From what I've read, to do that I would have to change the ASA to routed mode. How much would that change the operation of the ASA and the network? Can a ASA in routed mode co-exist peacefully with a SG500 in Layer 3 mode? Or, should I make the connection on the SG500 assigning a separate VLAN and use ACLs to restrict the traffic? Which provides more security?
... View more