Network setup for single ESX host with ASA5505
Posted on 2009-12-28
I have single server running ESX 4.0. It has total of 7 network interfaces - 6 gigabit NICs and one network interface for Supermicro's SIMSO+ IPMI used for server board's remote management.
I got whole block of public IPs (/24) from my ISP (server is located in small datacenter). There is no firewall (except probably ISP's firewall that I do not have an access) and one 24-switch with about 8 empty ports I can use for my server if I have to (the switch is Netgear smart switch, I think it was GS724AT).
I was told that I should not rely on ESX's built-in firewall. I have a Cisco ASA5505 SEC+ firewall on hand that I hope will be suitable for my setup.
The host will consist of 15-18 VMs grouped in 4-5 groups - like Linux, Windows, test etc. Some of the virtual servers may need separate public IP, some of them can share one IP. I was thinking about separationg groups of servers and utilizing separate NICs for each group if possible. Servers in one group should talk to each other, but servers from different groups probably should stay separated
The problem is that I can't imagine how actually the network setup should looks like.
1. Let's start with ASA. I have 8 ports, one set as outside and second one (is it a good idea at all?) that can be set as DMZ or as backup outside interface. So my first question is about this second interface - what is the best and recommended use for it? I can also use it as inside interface - in this case if I use ASA as switch I will have all my seven NICs connected directly to firewall ports and I will not need a switch.
2. So, I have 6 (or 7) inside ports left. Let's say I will use ASA as switch in addition to firewall. How will I pass these public IPs to network cards? Should I use NAT and DHCP and have private IPs assigned to NICs or..? What is your recommendation about this part of setup?
3. ASA does not have Gigabit ports, just 100Mbit. All NICs are gigabit NICs. Do I need a gigabit switch in my scenario for any reason? I can have one 8- or16-port gigabit switch leaving ASA just with few used ports. What will be the setup in this scenario?
4. Is there any reason I should not use ASA5505? I've heard that ASA is not too good with routing.
Any help and advise will be greatly appreciated. Once we find the right way to go I will ask additional question in separate topic, but first let's find what the right setup is in general. The main goal is to secure the ESX host and particularly service console and to have an flexible option for public IPs.