The Sorrow Posted March 12, 2012 Share Posted March 12, 2012 So i got my hands on a Cisco Adaptive Security Appliance 5505. Nifty little toy I'm trying out, just need some config ideas. What i want to do is set up the ASA as my main gateway to the inter-webs, just not sure how I'm gonna do it. I currently have a pfSense firewall which acts as a perimeter firewall and routes between my four different subnets which are: 10.10.0.0/24 - LAN 10.20.0.0/24 - DMZ 10.30.0.0/24 - Private Wifi 10.40.0.0/24 - Public Wifi I currently have the DMZ and LAN networks set as vlans on my 3560 switch. No inter-vlan routing or anything crazy (pfSense handles that). I have a couple ideas on how to do this, just wanted to know which one is the best, or if you guys have any better directions. Idea 1: Pretty simple, the way i assume this would work is the ASA would act as my pfSense firewall does. Only thing is i don't think ASAs can do inter-vlan routing or anything else like that. I know that with access lists configured i can trunk the Wifi port and allow only private wifi between vlans, but I'm not sure if the ASA will hold the default gateway IPs or if the switch will be the default gateway and have static routes to the ASA for addresses outside the network. The ports on the switch will be given vlan access depending on the device that is on said port. Idea 2: This one feels kind of Router-on-a-stick level... the switch holds all the inter-vlan routing with EIGRP and access controls will also be the sole responsibility of the switch. Only problem is i cant see how to make NAT and a DMZ work with this idea. So can a cisco guru please give me a direction to go? I really want to implement this ASA!!! Quote Link to comment Share on other sites More sharing options...
The Sorrow Posted March 12, 2012 Author Share Posted March 12, 2012 Well i answered my own question by debating with a couple guys i know. here's the graphical idea: Since i have a base license and the DMZ is restricted (cant initiate connections to the LAN (inside) network) no access lists need to be configured on the ASA. No issue with this except i like to have my DMZ servers use my LAN DNS servers for name resolution. Then on the switch I can use EIGRP to allow inter-vlan routing between all my VLANs and use access lists to limit the DMZ and Public Wifi to external addresses only. Then I can set ACLs for Private wifi and LAN to have access to anything on the network. The VLANs hosted on the switch will be the default gateway and ill set static routes to the ASA for next hop. Maybe this will be useful someday. Cheers! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.