I need a little help determining the best location for a new ASA 5505 we purchased awhile back.
We have a Microsoft SBS 2003 unit running ISA 2004 firewall. An external audit determined that the ISA firewall is protecting the server from external access, however we have a DLink router setup to handle internet access, and that connection is not secured by the ISA firewall. Basically creating a backdoor to the server.
Heres what we have in place:
Adtran Router (Internet): IP Address - xx.xx.xx.241
SBS2003 External (Mail etc): IP Address - xx.xx.xx.242
DLink Router (External): IP Address - xx.xx.xx.243
SBS2003 Internal (Network): IP Address - 192.168.254.3
DLink Router Internal (Netwrok): IP Address - 192.168.254.2
Procurve Switches (Network): Handles workstation connections
Our Current DHCP Scope assigns the following:
IP Address: 192.168.254.xxx
Default Gateway: 192.168.254.2
DNS Server: 192.168.254.3
We have a 5 port switch directly behind our internet router. This handles the connections for the external access.
I want to use the ASA in the best locaton, and personally I think replacing the 5 port switch and eliminating the second router may be the best location, I'm just not sure I can set that up using VLans. If we can't, I think I should just replace the Dlink router with the ASA and run from there.
The ISA Firewall is protecting the server from external access, and I think the ASA will handle the other external IP Address without having to interfere with the main server. Is this assumption ridiculous?
Should I place the ASA directly behind the internet router and configure the main server on a DMZ?