• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 307
  • Last Modified:

trying to figure out if i need an ASA 5510 or 2801 router

I am restructuring our network here after receiving a T1 line a couple of weeks ago.  The ISP gave me 1 interconnect IP along with a few public ip's.  They gave us a gateway which they call a router.  My plan is to setup a dmz with a few servers utilizing some of the public ip's.  I am hoping to keep our inside LAN using 192.168.2.0/24.  I am assuming that i wil have to setup static routes.

Now i was looking into getting CIsco ASA 5510 FIrewall or the Cisco 2801 Router to conect to the ISP Gateway which is essentially an RJ-45.  From one of these 2 devices they will be connected to either a Dell Powerconnect Gigabit Layer 2 Switch or a Dell Powerconnect Layer 3 Switch.  

Would this work well?  To get the ASA 5510, Setup the Static Routes, get the layer 3 switch and point all internal users to use the layer 3 switch as the default gateway?  I plan to also let the dmz communicate to the internal lan as well.

If someone has a better setup, that would be greatly appreciated.  Thanks!

Joso
0
josog
Asked:
josog
  • 7
  • 7
  • 2
1 Solution
 
decoleurCommented:
You would be better served to use the firewall on your perimeter to control access to traffic. You will not have to worry about routing in the scenario that you presented because you only have a single default route out.

hope this helps,

-t
0
 
kdearingCommented:
If your ISP is handing off ethernet, then a router is not necessary.
A 5510 can handle your basic routing needs.
0
 
josogAuthor Commented:
thanks for the replies.

I have noticed in Microsoft's documentation on the implementation of  exchange, ocs 2007, web server's, etc...in the dmz showing the dmz within 2 firewalls.  should i be purchasing two 5510's?
Maybe a 5510 and a 2801?

I am planning on putting the exchange 2007 role, ocs 2007 edge rolle and 2 web servers in the dmz.

So i will be alright with the ip's the ISP gave me and the 5510?  even if the interconnect ip's subnet is different than the public ip's subnet?

What would work better:

WAN --  DMZ  -- 5510 --  LAN
or
WAN -- 5510 -- DMZ -- 5510 --  LAN
or
WAN -- 5510 -- DMZ -- 2801 -- LAN

Thanks for your help!
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
decoleurCommented:
The ASA 5510 has 4 interfaces that you can use for different security classifications so you could easily support WAN, DMZ, and LAN on one appliance, even have a second DMZ if you like.

The differences in ip addresses do not matter as long as the ISP has set up a route for the public IPs to their hand off to you.

-t
0
 
josogAuthor Commented:
Thanks for the info.  the only thing i am confused on is all microsoft diagrams showing 2 firewalls around the perimeter instead of one as the recommended solution.  I just want make sure i follow the best practice for exchange server and web server deployment.

Also, should i being buying the layer 3 dell switches or the layer 2 switches connecting to the 5510 for the internal lan?

Thanks again

Joso
0
 
decoleurCommented:
so effectively by using the third interface in a sense you have a second firewall. you are restricting traffic between the outside and the other interfaces as one firewall and you are restricting traffic between the dmz and other interfaces. the downside to this from a security perspective is that you are using a single platform for your firewalling so if it gets compromised the cat is out of the bag. you only need a single layer3 switch per location and then all the other switches that are connected are layer2 and do routing at the layer3 switch.

hope this helps,

-t
0
 
josogAuthor Commented:
If i were to get two 48 port switches at one location/office, i just need one layer3 and one layer2 switch? and the layer3 will take care of everything? or should i both layer3 for the office?

I was orgianlly going to get two Dell Powerconnect 6248 layer3 switches, but i have been people saying they are no good and go for cisco's.  What would you recommend and if it's cisco, what 48-port model?

Thanks a million
0
 
kdearingCommented:
Layer 2 or 3 switches?
If you are going to set up multiple VLANs (subnets) and need the switch to route traffic between the VLANs then you'll need one Layer3 switch. Note that, if set up correctly, your ASA can route traffic between VLANs too. Without knowing more about your network, it's difficult to recommend an exact solution.

10/100 or gigabit switches?
There are only two type of devices that really should have a gig connection: network backbone and servers. Gig connections for users is completely unnecessary, 99% of users will not even come close to fully utilizing a 100Mbps connection.

Dell or Cisco?
If you've got the budget for it, go with Cisco. It's the most expensive, with good reason. If money is a little tight, then Dell is not a bad choice. You may also want to look at HP's ProCurve switches.
0
 
decoleurCommented:
yep, just need one layer3 aware device per location to route inbetween vlans. for cisco switches you can use models from the 2960 line or the 3560 line depending on what kind of perfomrance you are looking for. my guess is that you could make due with a 2960, the exact model that you need can be found from the model comparison guide at http://www.cisco.com/en/US/products/ps6406/prod_models_comparison.html there is no real layer 3 version of the 2960 just a layer2 plus called the LAN Base, which will be fine for what you need.

For 10/100 models I would recomend a pair of 2960-48TT-L or 2960-48TC-L if you need to connect them with fiber uplinks. if you want 10/100/1000 on the interface go with the 2960G-48TC-L

hope this helps,

-t
0
 
josogAuthor Commented:
i definielty want the option to route traffic between VLAN's.  My boss, for some reason wants to go gigabit.  So i have decided on the ASA 5510 along with one HP 2848 and one HP 2810-48G switches.

Would this work, to manage both switches through the 2848?  then all internal users gateway will point to the switches as theie gateway?
Could i use
Thanks

Joso
0
 
decoleurCommented:
it will work, you create the vlan interfaces with IPs on the layer 3 switch and trunk the two switches together. make sure that the switches are sharing vlans and then set the native vlan for the switchports to match the vlan you want those devices on and all is well. the only thing you might want to add is a dhcp helper address to point to your dhcp server if it is not being managed by the switch for every vlan that is using dhcp.
0
 
josogAuthor Commented:
Thanks decoleur.

I will see what my boss says and depending on our budget.   It will come down to:

one HP 2848 and one HP 2810-48G (trunk them)
or
one cisco 3560G-48TS and one 2960G-48TC-L (trunk them)
choice one setup along with the asa 5510
Did i choose the right combo for the HP's? or should i look at the 2900 series?
Thanks again.
0
 
decoleurCommented:
i am not sure about the hp switches, but if cost is an issue you could go with two 2960G-48TC-L and drop the 3560. still trunking between them of course.
0
 
josogAuthor Commented:
if i go with two 2960G-48TC-L, i can still internally use this as the gateway?  with the lan base software?
0
 
decoleurCommented:
absolutely. you only need a true layer 3 device when you have more than one path to a remote location and that doesn't sound like it applies to your network topology.

-t
0
 
josogAuthor Commented:
Thanks for all your help.  I think i have finally decided on what i want.  The cisco's are still a little to pricey on the switches side so i have opted for HP.  in the firewall side, i am going with the ASA 5510 and for the switches, the HP ProCurve 2848 and the 2810-48G.

the 2848 has layer 3 basic routing (for future purposes), and i will stack this with the 2810.  I am assuming this will work as long as i have one layer 3 aware device.  I currently already have an older 10/100 24-port HP Procurve swicth layer 2 which i will be putting in the DMZ.  Hopefully, all this will work well.

Thanks

Joso
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now