Cisco ASA 5510 Initial Visio Design


I'm trying to start a very high level design for our network upgrade for our main office. I figure i'd start with a Visio and by figuring out the Cisco ASA and wiring. It is attached to the post. This upgrade will come though as many questions, but i'll break it up into smaller pieces first. Right now i'd like just to focus on the ASA and its connections to the routers and DMZ.

Here is what we have coming into our network and what it is used for:

Fiserv T1: Used to access a specific network for one application.

Broadview MPLS Bonded T1: Used for remote offices to connect to us for their apps and e-mail, used for incoming/outgoing e-mail, used for Citrix Access Gateway when people work from home at night, and used by our First Data VPN router for ATM transcations.

Verizon FIOS: Used for Internet via our MS ISA Server, used as a VPN to run backups, used a a backup VPN when/if the Fiserv T1 goes down.

To start off with how about we discuss the Cisco ASA. I'm thinking of using HA in Active/Active Mode.

Can the ASA 5510 have more than one device in the DMZ? If so, does that mean I attach a switch to ASA DMZ port or how does that work?

Do all the items listed in the DMZ belong there? If not where do they belong? From experience I know the ISA and Eagle belong there. I feel the other two VPN routers might possibly work better if connected tot he Cisco 2811 Router - FrontLine.

When using ASA with HA then each device in the DMZ needs a connection to both ASAs via dual nics and dual cat5e?

Does the Cisco 2811 Router - Fiserv T1 have to connect to the Cisco 2811 Router - FrontLine or can the Fiserv T1 router directly connect to both ASAs? The Fiserv T1 is only used to access 1 specific app in a specific IP range.

I'd like to say thanks for your insight on my initial posting. The Visio Stencils from Dell / Cisco are great.
First LastAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin EllenbeckerIT DirectorCommented:
Q: Can the ASA 5510 have more than one device in the DMZ?
A: You can have as many devices as you want in the DMZ.  The DMZ is a security Zone that you specify and control through separate ACLs from you internal network.

Q: If so, does that mean I attach a switch to ASA DMZ port or how does that work?
A:  Yes you can attach a switch to the port and have all of your DMZ machines plugged into the switch.

Q:Do all the items listed in the DMZ belong there?
A: Looks fine, anything that the public connects to is generally placed in a DMZ.  If the other two devices are onkly creating the VPN tunnel and passing data and doing any other type of traffic on the internet then I would leave them in the DMZ and leave the other side as only for the internet.  You may even want to consider moving the T1 for Fiserv into the DMZ if possible so that you can control accces from your network and have it on a separate interface from the internet.

Q: When using ASA with HA then each device in the DMZ needs a connection to both ASAs via dual nics and dual cat5e?
A; This depends on your HA setup generally you will not need this even in an active active situation you can give the ASA's each a primary and secondary IP.  Then you can use etherchannel or other means to connect them to the DMZ switch and let the switch handle what goes where.  I personally would run them in Active Standby unless you have a lot of traffic going through them, if this is the case you may want to look at load balancing as well.

Q: Does the Cisco 2811 Router - Fiserv T1 have to connect to the Cisco 2811 Router - FrontLine or can the Fiserv T1 router directly connect to both ASAs?  
A: This is going to depend on HA setup and also the limitation of the device you could bridge the Fiserv into the FronLine or send it directly to the ASA's

Other Suggestions

I would persoanlly put a smal switch between the FrontLine the Fiserv and the ASA's.  We run this at our office to keep some of our clients out of our network and still have them fitlered through the ASAs.  Also I mentioned possibly moving it to the DMZ if it is only used for the one purpose and routing the traffic to keep it away from the internet traffic.  You can also create a second DMZ on the ASA to keep the email and citrix access separate from the VPN traffic side if you want.  Keep in mind when you setup the security numbers on the ASAs the way traffic flows, from high security to lower does not need ACLs but the other direction will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First LastAuthor Commented:

Your comments are very insightful. I've made some changes to the Visio and it is posted below. I've spent time reading about A/A or A/S. At my work we have no need for A/A and i'll be using A/S for the dual ASA configurations.

What I'm gathering from you is that I should really break this into 4 connections going to/from the ASA and make use of the ASA ports. I'd apply ACLs specifically to each port.

1) Use one port on each ASA for the private Company network with the end user PCs and IT Servers. These devices should be separated by VLANs. In a perfect world with a decent budget I'd separate the private company network StackWise switch group from the ASA's with a router, if I had a smaller budget another switch, or no budget directly into the 6 Cisco StackWise Stack?

I'm thinking because I have a stack of 3750 switches I can utilize the switch to handle the routing and VLANS thus bypassing the need for a router between the StackWise switches and the ASAs.

2) Use the FrontLine Router for anything relating to the MPLS to the branches and connect it directly to both ASAs.

3) Use a separate  port on each of the ASAs for Internet traffic connected directly to Verizon FIOS.

4)  For the DMZ use a separate port on each ASA and connect directly to one switch using EtherChannel. Each sever in the DMZ will connect directly to this switch only.

This means I'll be utilizing all 4 ports on each of the ASA's.

The Fiserv T1 is a leased router. I moved it from the FrontLine router to the DMZ as suggested. The people who manage it do so directly through the VPN setup on it. Connecting the LAN port on the Fiserv T1 router to the DMZ and the WAN Port directly to the cloud as shown should be sufficient? I have no more ports on the ASA to plug it in there.

I see what you are saying about having a second DMZ because I have data from all three connections (MPLS, Internet, and Fiserv) going to one DMZ, but i'm out of ports. What do people usually do in this situation?

Thank you so much!

Justin EllenbeckerIT DirectorCommented:
As far as multiple DMZs what i recommend is never using the ports on the ASA for more than 1 network, and putting a switch behind it if possible.
Justin EllenbeckerIT DirectorCommented:
If you cannot use more then I suggest putting the most harmful traffic in its own and group what is left but that will be a personal threat assessment you will ahve to consider yourself.
First LastAuthor Commented:
Thank you for your input.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.