1 Reply Latest reply: Aug 21, 2009 4:36 PM by Paul Stewart - CCIE Security RSS

    ASA Guidelines - VLANS


      Hi Everyone,


      I have been tasked with replacing our firewall with a ASA 5550!

      I am new to Cisco platforms, my firewall experience has been with Watchguard.


      We have multiple interfaces pointing to different MPLS clouds, Internet link, DMZ etc...

      Our internal network runs on a 3750 Stack including a few VLANS.


      -When configuring the Internal interface that leads to this 3750 stack, do I need to configure it as a trunk or any subinterfaces?

      Our watchguard firewall was not configured as so.

      -Another question, VLAN 1, is this to be avoided as on switches?


      Thanks in advance!

        • 1. Re: ASA Guidelines - VLANS
          Paul Stewart  -  CCIE Security

          VLAN is tagging/trunking is necessary if you wish to do intervlan connectivity and filtering with the ASA.  Concerning the use of VLAN1, if you don't do tagging you are using the native or untagged vlan.  This is vlan one if you are looking at it from that perspective.  If you enable the trunk, the physical interface would be the untagged interface and would communicate to the native vlan on the switch.  The recommendation against using VLAN1, has a lot to do with management access.


          The key point with the ASA is to secure the management to the device.  You can go out of band with the "management-only" command, or use any ip interface and ssh and/or https.  The communication is permitted or restricted by IP address.  With the little ASA5505, everything is a concept of VLANs.  With the ASA5550, these are really dot1q subinterfaces.  In other words, you could tag a VLAN1 or not.  It just needs to match the other end of the trunk.  This is very similar to dot1q router on a stick with a router.


          Regarding your questions, do what you need to do to secure the rest of your network. From the perspective of the ASA, you must match the L2 configuration of the directly connected devices.  The real work for the ASA is configuring the transit rules.  As far as management, use secure protocols (not telnet), good passwords, and lock down to ip addresses.  If you are in a highly secure network, take a look at the management-only option.  In all cases, follow an existing security policy if you have one.