• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1261
  • Last Modified:

LAN Design with ASA 5540

Preparing to re-architect a LAN with 100 users (150 projected).

Currently have an ASA 5540 in place as the firewall, router, web filter, and IPS.
Only the outside and inside interfaces are configured.  Inside is connected to an HP switch stack that connects all servers and clients.

Requirements for new architecture:

-Create DMZ to house proxy server and other web servers as company grows.
-Segment all conference room drops to have outside only internet access.  No connectivity to servers on LAN.
-Create 2 VLANs.  1 for Servers. 1 for Workstations.  Workstations will be DHCP clients on a different subnet than servers which will be statically assigned IPs.

I have a Cisco 3560G-48PS unused, will be purchasing 2 more of the same.  Possibly 3.

1. Should the DMZ be created using a separate switch connected to one of the unused interfaces on the ASA?
2. Should the "outside access only" workstations have their own switch connected to an open interface on the ASA, or will VLANing off 10 ports on one of my existing switches be more efficient?
3. For this number of users, would it be recommended to purchase an interior router, or will the ASA be able to handle routing duties sufficiently?

Thank you for any input.

1 Solution
1.  Yes, ideally, you would have a separate physical switch hanging off the DMZ interface for DMZ servers, devices, etc.  However, having a separate VLAN for the DMZ off your internal switches that the Firewall DMZ interface is part of would work also but is less ideal.  Trade off between security and cost.

2.  Again, ideally, this would be the case but it may not be the easiest to accomplish if you are looking to have "Internet only" ports physically available anywhere in the network.  Having a separate VLAN extended to every edge switch would be sufficient for security but also ease management (less cabling).  Alternatively, if you don't want to use a Firewall interface for this purpose, you can use a separate "Internet only" VLAN and use access-lists to restrict access from these hosts to only the Internet.  In this case a separate interface on the Firewall would not be used.  Access would be controlled with a VLAN at layer2 and an access-list at Layer3 on the VLAN interface (in the case of using a 3560 as the VLAN router).

3.  If you plan on getting 3560G switches, I would use one (or two if desiring redundancy) as the interior router.  The 3560G at the "core" would do routing between VLAN's and aggregate the trunks from the edge/access switches.  The ASA would be the 3560's default gateway.  I try to avoid intra-interface routing on an ASA if at all possible.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now