1. Home
  2. Cisco Systems
  3. recommendations for a firewall for use as an Internet Gateway

recommendations for a firewall for use as an Internet Gateway

Hi, all

Could anyone recommend to me what would make the best choice for an Internet Gateway firewall? The requirements here are as follows:

A. It has to be Cisco (the client doesn't like any other vendors for some reason) B. We have a total of 750 computers (including servers) behind that firewall. All will, in 1 form or another, require internet access. C. The local area network has a total of 30 VLANs (with anywhere from

1 to 25 computers connected to each VLAN), each with a 10.x.x.x/24 private IP address range. D. The firewall's job will be simultaneously (and I don't know for sure if this is possible, but this is the objective) to separate each VLAN to ensure that each cannot talk to the other, and to provide an Internet Gateway, complete with NAT functionality, stateful firewall inspection, and possibly IDS functionality

I'm leaning towards the ASA 5520, but would the 5510 be capable of filling these roles (we cannot purchase used equipment, as the client doesn't want that)?

Thanks very much!

Reply to
Mike Rahl
Loading thread data ...

No.

formatting link
Notice that the VLAN limit on the 5510 is 10 for the base unit,

25 if you use the Security Plus edition. The 5520 supports 100 VLANs.

Is that as in "The VLANs can never talk to each other", or "The VLANs must absolutely be able to talk to each other, but in strictly controlled ways?"

The previous question together with this leads to the question of what throughput you need -- VLAN to VLAN and VLANs to Internet ? And what interfaces?

Notice, for example, that the 5510 has no gigabit ports at all, so if gigabit is needed in-house now or in the reasonable future, the 5510 is not an appropriate choice. And if there is gigabit in the offing, check out the throughput figures.

But as you mentioned IDS, also look way down the table to the IPS throughputs: those might not be enough for the situation, especially if each VLAN must be IPS'd instead of just the public interface.

You need redundancy plans. You don't want the ASA to be a single point of failure. With that many users, I wouldn't want the WAN router to be a single point of failure either, which in turn implies you need concrete plans about how to get the ASA to play nicely with whatever WAN redundancy you are thinking of.

Reply to
Walter Roberson

I am unfortunately somewhat constrained in what I can do here for several reasons:

  1. The client isn't willilng to pay, in any way, for redundancy. He has exactly 1 Cisco 3560 switch, acting as both router and switch, per region (he has 4 regions). He is connecting between 6 and 20 CE 500 switches to each Catalyst 3560, and on those CE 500 switches, he has PCs and servers. There is no way to implement redundancy here, as the client does not want to use routers, nor multiple redundant switches at the core layer.
  2. The client is looking for the simplest possible solution. He has little understanding of Cisco equipment (however much he insists on its use), and is only interested in providing basic connectivity. However, at the same time, he wants specifically to completely prevent communication between VLANs, however, he does not want to purchase any form of router. I had suggested we simply deploy the Catalyst 3560s as layer 2 only, but he doesn't like that option; he wants them to provide the routing, and wants to use Access Lists on the switches to prevent the approximately 30 VLANs from talking to each other.

This is a remarkably unreasonable client, however, the contract was signed well before I got involved, so I'm kind of stuck with it, and trying to find something I can do that will fit the scenario. Given the client will require some sort of firewall behind his Internet connection, this is why I was thinking of the ASA 5520.

I appreciate your advice Walter. If you have any other suggestions with the input I have provided, I would greatly appreciate them.

Walter Robers> >

Reply to
Mike Rahl

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.