ASA Question regarding VLANS and Firewalls.

I have a client that runs a managed office for 90 or so companies. The plan is to run each company on its own vlan using 3750 switches. The question is the firewall. Can you apply seperate fiewall policies on an ASA5520 to each vlan or will they need to be logically grouped? Also can you mix NAT'ed traffic and pass through because some companies will just require an internet connection where as other will have their own servers/services that will require provision of a public ip. Any help much appreciated.

Reply to
Knutts
Loading thread data ...

The ASA firewall can connect to the various VLANs on the switches using an ethernet trunk connection.

This single cable connection, usually shown as just one logical interface in the configuration, can have many logical sub-interfaces configured. With this many VLANs present, look into product specifications on the public sections of the Cisco website to evaluate the capabilities of these device models. You may end up considering a different model of the ASA firewall, depending on your needs.

I foresee a concern with having that many sub-interfaces when it comes to security-levels in the configuration. Numeric security levels from 0 to 100 are assigned to these logical interfaces to specify levels of protection from traffic from other interfaces. A configuration feature is available to not explicitly allow traffic between interfaces of the same security level. Without that feature, and with each logical interface numerically assigned a different security level number, traffic would be more easily able to pass from higher security interfaces with higher security level numbers to lower security interfaces with lower security level numbers. This would present concerns between the networks of the client companies.

The Cisco 3750 switch is a layer 3 switch capable of routing and therefore can filter network traffic. Look into methods of filtering network traffic using access-lists on the 3750 as well. Although a firewall is more hardened and secure, a workable method of prohibiting network traffic can be reached when dealing with the inside networks. The firewall is still the best choice between all of the inside networks and the Internet. This solution, by providing network traffic filtering on the 3750, might allowing a smaller and less expensive model of ASA firewall for the Internet connection. I suggest this because it seems that whenever security or traffic filtering is a topic, firewalls come up more often while suitable classic access-lists solutions are not as often considered.

----- Scott Perry Indianapolis, IN

-----

Reply to
Scott Perry

If the public traffic for the various companies is not to be mixed, then you would need 90 outside VLANs and 90 inside VLANs -- and the 5520 definitely cannot handle 180 VLANs.

What you are describing is closer to having 90 different "security contexts". Security contexts are expensive on the ASA 55xx series, and I'm relatively sure that the 5520 cannot handle anywhere even close to 90 of them. My recollection is that the highest end ASA 55xx model cannot handle even close to 90 security contexts. (I don't recall about the firewall module for the 6500 series switches; I believe 90 is too much for it as well.)

I would never trust the connections of 90 companies to a single ASA, or even an ASA in failover. I might trust the health of several companies together on an ASA, but the single-point-of-failure risk is just way too high in putting 90 companies on a single device, in my opinion.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.