Jump to content

Asa And L3 Catalyst Switch Setup


The Sorrow
 Share

Recommended Posts

So i got my hands on a Cisco Adaptive Security Appliance 5505. Nifty little toy I'm trying out, just need some config ideas. What i want to do is set up the ASA as my main gateway to the inter-webs, just not sure how I'm gonna do it. I currently have a pfSense firewall which acts as a perimeter firewall and routes between my four different subnets which are:

10.10.0.0/24 - LAN

10.20.0.0/24 - DMZ

10.30.0.0/24 - Private Wifi

10.40.0.0/24 - Public Wifi

I currently have the DMZ and LAN networks set as vlans on my 3560 switch. No inter-vlan routing or anything crazy (pfSense handles that). I have a couple ideas on how to do this, just wanted to know which one is the best, or if you guys have any better directions.

Idea 1:

plan1z.png

Pretty simple, the way i assume this would work is the ASA would act as my pfSense firewall does. Only thing is i don't think ASAs can do inter-vlan routing or anything else like that. I know that with access lists configured i can trunk the Wifi port and allow only private wifi between vlans, but I'm not sure if the ASA will hold the default gateway IPs or if the switch will be the default gateway and have static routes to the ASA for addresses outside the network. The ports on the switch will be given vlan access depending on the device that is on said port.

Idea 2:

plan2o.png

This one feels kind of Router-on-a-stick level... the switch holds all the inter-vlan routing with EIGRP and access controls will also be the sole responsibility of the switch. Only problem is i cant see how to make NAT and a DMZ work with this idea.

So can a cisco guru please give me a direction to go? I really want to implement this ASA!!!

Link to comment
Share on other sites

Well i answered my own question by debating with a couple guys i know. here's the graphical idea:

64488952.png

Since i have a base license and the DMZ is restricted (cant initiate connections to the LAN (inside) network) no access lists need to be configured on the ASA. No issue with this except i like to have my DMZ servers use my LAN DNS servers for name resolution. Then on the switch I can use EIGRP to allow inter-vlan routing between all my VLANs and use access lists to limit the DMZ and Public Wifi to external addresses only. Then I can set ACLs for Private wifi and LAN to have access to anything on the network. The VLANs hosted on the switch will be the default gateway and ill set static routes to the ASA for next hop.

Maybe this will be useful someday. Cheers!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...