Re: ASA Designing Question

From: Leigh Harrison (ccileigh@gmail.com)
Date: Thu May 11 2006 - 09:27:09 ART

• Next message: Suzan S.: "CCIE SP LAB Senarios"
• Previous message: lim es: "policing options in MQC"
• Maybe in reply to: Nouman Ahmed Khan: "ASA Designing Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey there Nouman,

There is nothing wrong with this design - although I'm sure some would
argue!

To put a DMZ on the ASA, but still have the devices connected to the
4507's, you simply create a vlan on the 4507's, but have no layer 3
access on them, that way only the asa can do the routing for that vlan
and have all of the security that you need.

Depending on your throughput, then you may see some bottleneck
problems, you can always put the access-lists on the 4500's rather than
the asa and build more layers of security in there.

As for swapping out the asa for a pix, I'd stick with the ASA, a much
better box in my opinion.

LH

Nouman Ahmed Khan wrote:
> Dear friends
>
>
>
> I have question regarding ASA designing. Here is the scenario.
>
>
>
> I have two 3845 (redundant) connected to two ASA5520 (redundant) (with
> AIP-SSM) .The ASAs are connected to two 4507R(redundant) .So it is like
> this,
>
>
>
> 3845------ASA5520------4507R------users+servers
>
>
>
> 3845------ASA5520------4507R-----users+servers
>
>
>
> 1|)Can I put my servers in separate DMZ connected to 4507 ?i mean it is not
> like PIX where we connect switches connected to servers to one of the
> interfaces of PIX and assign it security level.With ASA can we do
>
> Virtualization. May be my question looks stupid but I am new to security.
> Can we configure ASA like the FWSM where any of the 6500 ports can be
> assigned to the firewall module? Please explain.
>
>
>
> 2)If the above scenario is applicable and we succeed in configuring the
> servers in a separate DMZ,would not ASA become a bottleneck? The 200 users
> of the LAN to access servers have to pass the ASA which is connected to the
> 4507r with GE port?Any comments.
>
>
>
> 3|) Can anyone suggest a better design?Like replacing ASA with PIX.Please
> donot go for 6500 ,my client can not afford it.I chose ASA because it can
> provide me firewall as well as IPS services through AIP-SSM module?Any
> suggestions.
>
>
>
> Regards
>
>
>
>
>
> Nouman Ahmed Khan
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Suzan S.: "CCIE SP LAB Senarios"
• Previous message: lim es: "policing options in MQC"
• Maybe in reply to: Nouman Ahmed Khan: "ASA Designing Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:21 ART