Network setup for single ESX host with ASA5505

1. Let's start with ASA. I have 8 ports, one set as outside and second one (is it a good idea at all?) that can be set as DMZ or as backup outside interface. So my first question is about this second interface - what is the best and recommended use for it? I can also use it as inside interface - in this case if I use ASA as switch I will have all my seven NICs connected directly to firewall ports and I will not need a switch.
You dont need all interfaces, 3/6(redundant pair) is good enough. one port/pair for Internal, one port/pair External & one port/pair for DMZ(if you need to publish internal servers to Internet)

2. So, I have 6 (or 7) inside ports left. Let's say I will use ASA as switch in addition to firewall. How will I pass these public IPs to network cards? Should I use NAT and DHCP and have private IPs assigned to NICs or..? What is your recommendation about this part of setup?
Yes NAT is the standard method in this case, you could do 1-1 NAT from each public IP add to each VM internal IP add


3. ASA does not have Gigabit ports, just 100Mbit. All NICs are gigabit NICs. Do I need a gigabit switch in my scenario for any reason? I can have one 8- or16-port gigabit switch leaving ASA just with few used ports. What will be the setup in this scenario?
No its not really needed, you could setup the following from ASA to internal core switch, and your esx connected to this core switch instead not directly to ASA, if your core switch has GigE ports, you should utilize them for connecting to esx hosts


4. Is there any reason I should not use ASA5505? I've heard that ASA is not too good with routing.
Its not to say ASA is not good, best practice is to offload routing to a dedicated layer 3 device and let the ASA do only packet filtering
Normally there is another layer 3 device in front of ASA to do layer 3 routing without any rules whatesoever connecting to ISP media converter

Thank you for quick response, nappy_d &  ryder0707  :-)

So, I assume based on your comments that HW firewall (ASA5505 in my case) is mandatory in order to protect ESX box.

Now, let's go into details.

5. I think I can't have both second outside interface and DMZ at the same time. If so, what option is better I mean, should I really use DMZ or I can go with some other setup for servers like Exchange.

6. Is it good idea to use dedicated interface (and physical port) on ASA for management only, or it will share outside interface with WAN? I will access firewall (and ESX host) from remote location most of the time so everything that will provide better security and redundancy will be better.

7. My ASA's SEC+ license gives me 8 trunk ports, 20 VLANs and DMZ in addition to Dual ISPs.  I will drop Dual ISP functionality and will set DMZ instead, but can I somehow utilize these max. 20 VLANs I have to divide public IPs and assign range of them to each VLAN? I mean, can I create, say, 4 VLANs (Windows, Linux, Production and Test) and set Windows WLAN to forward all requests to  19x.x44.123.10...19 that will be linked to dedicated physical interface(s) on ASA connected to server's NIC(s) which will be a uplink for vSwitch created for all Windows VMs. Second VLAN on ASA, Linux, similarly will use a range 19x.x44.123.21...30, separate NIC and own vSwitch dedicated just for Linux virtual machines, and so on.

8. If I have DMZ interface set on ASA, it can be connected to one NIC on server box and this NIC can be assigned to just one vSwitch. In this case, if I have 3 different groups of servers (like Microsoft, Linux and, say, Test) connected each to its own vSwitch, how they will share this physical NIC? I mean, I may have servers in each group that may require to be in DMZ. If I use two switch ports on ASA for DMZ, I will have two NICs on server box dedicated for DMZ that I can link to one or two vSwitches. It is difficult for me to imagine at this moment the whole picture (and I am obviously not a vmware or Cisco engineer), but it seems that this should be done on vSwitch level somehow. Am I wrong? What is the right way?

9. As per Cisco, "Logical VLAN interfacesIn routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services." What mode will I use for my setup and why?

Sorry for all these additional questions, but I do not have experience with ASA/ESX and advanced network setups. I have to put this server along with firewall in data center by the end of this week if possible. I will continue the setup remotely, but I should have all cables connected to right interfaces and everything accessible remotely. Sounds complicated? For me, surely. But I will try to do it with your help.

Thank you.

ryder0707:

"1. Let's start with ASA. I have 8 ports, one set as outside and second one (is it a good idea at all?) that can be set as DMZ or as backup outside interface. So my first question is about this second interface - what is the best and recommended use for it? I can also use it as inside interface - in this case if I use ASA as switch I will have all my seven NICs connected directly to firewall ports and I will not need a switch.
You dont need all interfaces, 3/6(redundant pair) is good enough. one port/pair for Internal, one port/pair External & one port/pair for DMZ(if you need to publish internal servers to Internet)"

-> All right, let's say port 0/0 is Outside (WAN). 0/1 - dedicated management; 0/2 - IPMI interface; 0/3, 0/4 & 0/5 - inside interfaces connected to separated NICs; 0/6 and 0/7 - DMZs with their own NICs. This way one of server's NIC's will be not connected to firewall.


"2. So, I have 6 (or 7) inside ports left. Let's say I will use ASA as switch in addition to firewall. How will I pass these public IPs to network cards? Should I use NAT and DHCP and have private IPs assigned to NICs or..? What is your recommendation about this part of setup?
Yes NAT is the standard method in this case, you could do 1-1 NAT from each public IP add to each VM internal IP add"

-> Let say I have 19x.x44.123.10....19 I'd like to push via 0/3. If NAT is used, on ASA's LAN side I will have private IPs like 192.168.1.x, right? So how will the vSwitch/VMs get the public IP passed to them? Btw, do I need DHCP server on ASA in this case?


"3. ASA does not have Gigabit ports, just 100Mbit. All NICs are gigabit NICs. Do I need a gigabit switch in my scenario for any reason? I can have one 8- or16-port gigabit switch leaving ASA just with few used ports. What will be the setup in this scenario?
No its not really needed, you could setup the following from ASA to internal core switch, and your esx connected to this core switch instead not directly to ASA, if your core switch has GigE ports, you should utilize them for connecting to esx hosts"

-> What is the reason to use additional gigabit switch if there no shared storage and other hosts? From my understanding on a single ESX host all traffic between VMs will be on vSwitch level. The only thaffic that will travel via server's Gigabit NICs will be from adn to Internet which is limited by ISP anyway. If this is correct, the only reason for separate switch I see is that I am actually one port short which is motherboard's IPMI interface or ESX's second management console interface.


"4. Is there any reason I should not use ASA5505? I've heard that ASA is not too good with routing.
Its not to say ASA is not good, best practice is to offload routing to a dedicated layer 3 device and let the ASA do only packet filtering
Normally there is another layer 3 device in front of ASA to do layer 3 routing without any rules whatesoever connecting to ISP media converter"

-> So, should I put a router (or you meant layer 3 switch?) between ISP's switch and ASA firewall? I do not expect too much traffic/connections from outside.

Thank you.

nappy_d:

6. Is it good idea to use dedicated interface (and physical port) on ASA for management only, or it will share outside interface with WAN? I will access firewall (and ESX host) from remote location most of the time so everything that will provide better security and redundancy will be better.

    * NEVER EVER, make your firewall's management interface be accessible publicly from the Internet.  Always use a VPN connection if you need to manage it remotely.  I would suggest that you use the LAN interface to manage your ASA.

-> how will I manage ASA remotely then?


7. My ASA's SEC+ license gives me 8 trunk ports, 20 VLANs and DMZ in addition to Dual ISPs.  I will drop Dual ISP functionality and will set DMZ instead, but can I somehow utilize these max. 20 VLANs I have to divide public IPs and assign range of them to each VLAN? I mean, can I create, say, 4 VLANs (Windows, Linux, Production and Test) and set Windows WLAN to forward all requests to  19x.x44.123.10...19 that will be linked to dedicated physical interface(s) on ASA connected to server's NIC(s) which will be a uplink for vSwitch created for all Windows VMs. Second VLAN on ASA, Linux, similarly will use a range 19x.x44.123.21...30, separate NIC and own vSwitch dedicated just for Linux virtual machines, and so on.

    * YES!  Based on my diagram from above, you can creave serveral vswitches each connected to a port based vlan or you could configure VGT. But port based vlans is easier and faster to implement.


-> still not clear. I will create vSwitches on ASA box. I will have several VLANs on ASA as well - DMZ and some for different groups of servers, right? Can you please give me more details about this part of setup?

That is fine to assign an interface for management.  Just do not make accessible from the internet without a VPN connection.

Here is what I collected so far as recommended solution:


Internet--ASA--pSwitch--Server--ESX


1. ASA will use Static IP on outside interface and will pass range of public IPs to inside/DMZ interfaces

2. I will put 8-port Netgear GS716T managed switch between ASA and server box for VMs that are not in DMZ. Do I need a second switch for DMZ? Or maybe I should use my Dell Power Connect 2716 managed switch instead? Do I have to pay attention for VLAN tagging and any other functionality that can be useful for my setup? I can actually create VLANs on the switch as well, and probably that's the right way to do it, am I correct? If I utilize VLANs on the switch, how will I then assign public IPs to virtual servers?

3. Here is ASA's port assigment plan, please correct me if I am wrong or you recommend better setup:

ASA port 0/0 - outside (WAN) [Public IP]
ASA port 0/1 - ASA management only [Public IP]
ASA port 0/2 - IPMI server hardware management module  [Connected to IPMI NIC on server box]
ASA port 0/3 - inside [Connected to Gigabit switch]
ASA port 0/4 - inside [Connected to NIC 0/3 on server box]
ASA port 0/5 -
ASA port 0/6 - ASA DMZ [Connected to NIC 0/4 on server box]
ASA port 0/7 - ASA DMZ [Connected to NIC 0/5 on server box]

If you recommend VLANs on the switch, then I will probably have most of ASAs ports connected to ports on the switch assigned to different VLANs. I still think about having one management interface for ESX connected directly to ASA, not through the switch so if the switch is down I will still have an access to management console.


3. IPMI interface: Should I put ASA port 0/2 (IPMI interface that is used strictly for physical server management) in DMZ VLAN or it is better to have it in dedicated VLAN on ASA with own public IP and proper rules set? Not sure what is recommended and can't find anything in manual (http://www.supermicro.com/manuals/other/AOC-SIMSO.pdf)

I found another information: "IPMI uses the same UDP port number (623 in decimal) with ASF (Alert Standard Forum) protocol. If the managed system is protected by a firewall, UDP port 623 must be opened."

I am going to wait for answers before splitting the general setup theme on some smaller question. Thanks!

nappy_d:

Based on your last answer, there will be no other cable connection between ASA and server box except the IPMI connection. All ASA's inside/DMZ interfaces will go through the physical switch to server via separated VLANs on it, right? I was thinking about having two ESX console interfaces connected via two separate NICs. We have two unused ports on ASA, so we can probably use one of them connected directly to servers's NIC as backup management console interface, and I assume the main management console will be running via (probably) separate VLAN on the switch, is that right?

I believe both switches support port-based VLANs, the only thing that bothers me is that one additional device is a potential point of failure in addition to network design complexity, that's why I was thinking of using ASA without a switch. So if you think I still can go without switch for my setup (and I can always add a switch later in case I will use shared storage or will add additional hosts), please let me know.

Thanks.

I would still tell you to use a switch.  (Lucky me) I've yet to have a switch fail on me.

You only need ONE ESX ervice console and what you do for redundancy, is to add multiple NICs to the service console for failover.

I think you may be over-thinking your setup.

nappy_d: you'll probably absolutely right about over-thinking my setup. I am going with solution/setup you recommend. I'll ask additional questions in separate topics once I do initial setup and have all devices connected.

Thank you both for your help!