Cisco ASA 5510 Initial Visio Design
Hi,
I'm trying to start a very high level design for our network upgrade for our main office. I figure i'd start with a Visio and by figuring out the Cisco ASA and wiring. It is attached to the post. This upgrade will come though as many questions, but i'll break it up into smaller pieces first. Right now i'd like just to focus on the ASA and its connections to the routers and DMZ.
Here is what we have coming into our network and what it is used for:
Fiserv T1: Used to access a specific network for one application.
Broadview MPLS Bonded T1: Used for remote offices to connect to us for their apps and e-mail, used for incoming/outgoing e-mail, used for Citrix Access Gateway when people work from home at night, and used by our First Data VPN router for ATM transcations.
Verizon FIOS: Used for Internet via our MS ISA Server, used as a VPN to run backups, used a a backup VPN when/if the Fiserv T1 goes down.
To start off with how about we discuss the Cisco ASA. I'm thinking of using HA in Active/Active Mode.
Can the ASA 5510 have more than one device in the DMZ? If so, does that mean I attach a switch to ASA DMZ port or how does that work?
Do all the items listed in the DMZ belong there? If not where do they belong? From experience I know the ISA and Eagle belong there. I feel the other two VPN routers might possibly work better if connected tot he Cisco 2811 Router - FrontLine.
When using ASA with HA then each device in the DMZ needs a connection to both ASAs via dual nics and dual cat5e?
Does the Cisco 2811 Router - Fiserv T1 have to connect to the Cisco 2811 Router - FrontLine or can the Fiserv T1 router directly connect to both ASAs? The Fiserv T1 is only used to access 1 specific app in a specific IP range.
I'd like to say thanks for your insight on my initial posting. The Visio Stencils from Dell / Cisco are great.
Ewing-HQ-Network-Map---Proposed.jpg
I'm trying to start a very high level design for our network upgrade for our main office. I figure i'd start with a Visio and by figuring out the Cisco ASA and wiring. It is attached to the post. This upgrade will come though as many questions, but i'll break it up into smaller pieces first. Right now i'd like just to focus on the ASA and its connections to the routers and DMZ.
Here is what we have coming into our network and what it is used for:
Fiserv T1: Used to access a specific network for one application.
Broadview MPLS Bonded T1: Used for remote offices to connect to us for their apps and e-mail, used for incoming/outgoing e-mail, used for Citrix Access Gateway when people work from home at night, and used by our First Data VPN router for ATM transcations.
Verizon FIOS: Used for Internet via our MS ISA Server, used as a VPN to run backups, used a a backup VPN when/if the Fiserv T1 goes down.
To start off with how about we discuss the Cisco ASA. I'm thinking of using HA in Active/Active Mode.
Can the ASA 5510 have more than one device in the DMZ? If so, does that mean I attach a switch to ASA DMZ port or how does that work?
Do all the items listed in the DMZ belong there? If not where do they belong? From experience I know the ISA and Eagle belong there. I feel the other two VPN routers might possibly work better if connected tot he Cisco 2811 Router - FrontLine.
When using ASA with HA then each device in the DMZ needs a connection to both ASAs via dual nics and dual cat5e?
Does the Cisco 2811 Router - Fiserv T1 have to connect to the Cisco 2811 Router - FrontLine or can the Fiserv T1 router directly connect to both ASAs? The Fiserv T1 is only used to access 1 specific app in a specific IP range.
I'd like to say thanks for your insight on my initial posting. The Visio Stencils from Dell / Cisco are great.
Ewing-HQ-Network-Map---Proposed.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As far as multiple DMZs what i recommend is never using the ports on the ASA for more than 1 network, and putting a switch behind it if possible.
If you cannot use more then I suggest putting the most harmful traffic in its own and group what is left but that will be a personal threat assessment you will ahve to consider yourself.
ASKER
Thank you for your input.
ASKER
Your comments are very insightful. I've made some changes to the Visio and it is posted below. I've spent time reading about A/A or A/S. At my work we have no need for A/A and i'll be using A/S for the dual ASA configurations.
What I'm gathering from you is that I should really break this into 4 connections going to/from the ASA and make use of the ASA ports. I'd apply ACLs specifically to each port.
1) Use one port on each ASA for the private Company network with the end user PCs and IT Servers. These devices should be separated by VLANs. In a perfect world with a decent budget I'd separate the private company network StackWise switch group from the ASA's with a router, if I had a smaller budget another switch, or no budget directly into the 6 Cisco StackWise Stack?
I'm thinking because I have a stack of 3750 switches I can utilize the switch to handle the routing and VLANS thus bypassing the need for a router between the StackWise switches and the ASAs.
2) Use the FrontLine Router for anything relating to the MPLS to the branches and connect it directly to both ASAs.
3) Use a separate port on each of the ASAs for Internet traffic connected directly to Verizon FIOS.
4) For the DMZ use a separate port on each ASA and connect directly to one switch using EtherChannel. Each sever in the DMZ will connect directly to this switch only.
This means I'll be utilizing all 4 ports on each of the ASA's.
The Fiserv T1 is a leased router. I moved it from the FrontLine router to the DMZ as suggested. The people who manage it do so directly through the VPN setup on it. Connecting the LAN port on the Fiserv T1 router to the DMZ and the WAN Port directly to the cloud as shown should be sufficient? I have no more ports on the ASA to plug it in there.
I see what you are saying about having a second DMZ because I have data from all three connections (MPLS, Internet, and Fiserv) going to one DMZ, but i'm out of ports. What do people usually do in this situation?
Thank you so much!
Ewing-HQ-Network-Map---Proposed.jpg