?
Solved

Cisco ASA 5510 Initial Visio Design

Posted on 2010-03-25
5
Medium Priority
?
6,434 Views
Last Modified: 2012-05-09
Hi,

I'm trying to start a very high level design for our network upgrade for our main office. I figure i'd start with a Visio and by figuring out the Cisco ASA and wiring. It is attached to the post. This upgrade will come though as many questions, but i'll break it up into smaller pieces first. Right now i'd like just to focus on the ASA and its connections to the routers and DMZ.

Here is what we have coming into our network and what it is used for:

Fiserv T1: Used to access a specific network for one application.

Broadview MPLS Bonded T1: Used for remote offices to connect to us for their apps and e-mail, used for incoming/outgoing e-mail, used for Citrix Access Gateway when people work from home at night, and used by our First Data VPN router for ATM transcations.

Verizon FIOS: Used for Internet via our MS ISA Server, used as a VPN to run backups, used a a backup VPN when/if the Fiserv T1 goes down.

To start off with how about we discuss the Cisco ASA. I'm thinking of using HA in Active/Active Mode.

Can the ASA 5510 have more than one device in the DMZ? If so, does that mean I attach a switch to ASA DMZ port or how does that work?

Do all the items listed in the DMZ belong there? If not where do they belong? From experience I know the ISA and Eagle belong there. I feel the other two VPN routers might possibly work better if connected tot he Cisco 2811 Router - FrontLine.

When using ASA with HA then each device in the DMZ needs a connection to both ASAs via dual nics and dual cat5e?

Does the Cisco 2811 Router - Fiserv T1 have to connect to the Cisco 2811 Router - FrontLine or can the Fiserv T1 router directly connect to both ASAs? The Fiserv T1 is only used to access 1 specific app in a specific IP range.

I'd like to say thanks for your insight on my initial posting. The Visio Stencils from Dell / Cisco are great.
Ewing-HQ-Network-Map---Proposed.jpg
0
Comment
Question by:First Last
  • 3
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
Justin Ellenbecker earned 2000 total points
ID: 28596245
Q: Can the ASA 5510 have more than one device in the DMZ?
A: You can have as many devices as you want in the DMZ.  The DMZ is a security Zone that you specify and control through separate ACLs from you internal network.

Q: If so, does that mean I attach a switch to ASA DMZ port or how does that work?
A:  Yes you can attach a switch to the port and have all of your DMZ machines plugged into the switch.

Q:Do all the items listed in the DMZ belong there?
A: Looks fine, anything that the public connects to is generally placed in a DMZ.  If the other two devices are onkly creating the VPN tunnel and passing data and doing any other type of traffic on the internet then I would leave them in the DMZ and leave the other side as only for the internet.  You may even want to consider moving the T1 for Fiserv into the DMZ if possible so that you can control accces from your network and have it on a separate interface from the internet.

Q: When using ASA with HA then each device in the DMZ needs a connection to both ASAs via dual nics and dual cat5e?
A; This depends on your HA setup generally you will not need this even in an active active situation you can give the ASA's each a primary and secondary IP.  Then you can use etherchannel or other means to connect them to the DMZ switch and let the switch handle what goes where.  I personally would run them in Active Standby unless you have a lot of traffic going through them, if this is the case you may want to look at load balancing as well.

Q: Does the Cisco 2811 Router - Fiserv T1 have to connect to the Cisco 2811 Router - FrontLine or can the Fiserv T1 router directly connect to both ASAs?  
A: This is going to depend on HA setup and also the limitation of the device you could bridge the Fiserv into the FronLine or send it directly to the ASA's

Other Suggestions

I would persoanlly put a smal switch between the FrontLine the Fiserv and the ASA's.  We run this at our office to keep some of our clients out of our network and still have them fitlered through the ASAs.  Also I mentioned possibly moving it to the DMZ if it is only used for the one purpose and routing the traffic to keep it away from the internet traffic.  You can also create a second DMZ on the ASA to keep the email and citrix access separate from the VPN traffic side if you want.  Keep in mind when you setup the security numbers on the ASAs the way traffic flows, from high security to lower does not need ACLs but the other direction will.
0
 
LVL 1

Author Comment

by:First Last
ID: 28680559
StrifeJester:

Your comments are very insightful. I've made some changes to the Visio and it is posted below. I've spent time reading about A/A or A/S. At my work we have no need for A/A and i'll be using A/S for the dual ASA configurations.

What I'm gathering from you is that I should really break this into 4 connections going to/from the ASA and make use of the ASA ports. I'd apply ACLs specifically to each port.

1) Use one port on each ASA for the private Company network with the end user PCs and IT Servers. These devices should be separated by VLANs. In a perfect world with a decent budget I'd separate the private company network StackWise switch group from the ASA's with a router, if I had a smaller budget another switch, or no budget directly into the 6 Cisco StackWise Stack?

I'm thinking because I have a stack of 3750 switches I can utilize the switch to handle the routing and VLANS thus bypassing the need for a router between the StackWise switches and the ASAs.

2) Use the FrontLine Router for anything relating to the MPLS to the branches and connect it directly to both ASAs.

3) Use a separate  port on each of the ASAs for Internet traffic connected directly to Verizon FIOS.

4)  For the DMZ use a separate port on each ASA and connect directly to one switch using EtherChannel. Each sever in the DMZ will connect directly to this switch only.

This means I'll be utilizing all 4 ports on each of the ASA's.

The Fiserv T1 is a leased router. I moved it from the FrontLine router to the DMZ as suggested. The people who manage it do so directly through the VPN setup on it. Connecting the LAN port on the Fiserv T1 router to the DMZ and the WAN Port directly to the cloud as shown should be sufficient? I have no more ports on the ASA to plug it in there.

I see what you are saying about having a second DMZ because I have data from all three connections (MPLS, Internet, and Fiserv) going to one DMZ, but i'm out of ports. What do people usually do in this situation?

Thank you so much!

Ewing-HQ-Network-Map---Proposed.jpg
0
 
LVL 17

Expert Comment

by:Justin Ellenbecker
ID: 28685009
As far as multiple DMZs what i recommend is never using the ports on the ASA for more than 1 network, and putting a switch behind it if possible.
0
 
LVL 17

Expert Comment

by:Justin Ellenbecker
ID: 28685225
If you cannot use more then I suggest putting the most harmful traffic in its own and group what is left but that will be a personal threat assessment you will ahve to consider yourself.
0
 
LVL 1

Author Closing Comment

by:First Last
ID: 31707189
Thank you for your input.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

592 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question