Options

ASA Question

marcusaureliusbrutusmarcusaureliusbrutus Member Posts: 73 ■■□□□□□□□□
in CCNP Security
Hi. I just wish to get your advice on something. I have an ASA that is connected to a core switch which in turn is directly connected to my local network. My local network consists of multiple vlans and a vlan, 100, for my servers comprising of DC, ADC, DHCP, DNS, FS, etc. I have been instructed to use the asa to police traffic going between vlans. Hence, i am thinking that i should make my asa's ip the default gw of my workstations. But from that point on i don't know how to go about it. If i put my servers, vlan 100 on another interface on the asa, i would have to apply a security ID on it which would end hindering traffic completely. I mean if i set vlan 100 to 50 and my internal lan to 100 that would effectively keep my servers from initiating communication to my internal network. Hence, my domain controllers won't be able to update my workstations. My aim is to allow the workstations to only access servers on using allowed ports and in turn allow my DC, Antivirus, etc from my servers to update my workstations.

Thanks in advance.
· Share on FacebookShare on Twitter

Comments

  • Options
    shednikshednik Member Posts: 2,005
    So if i understand the correctly you have a setup similar to this?

    Internal LAN(Multiple Vlans)
    |Core Switch|----ASA----Internet?
    Server Vlan 100
    | |

    You could like you said use another port on the ASA to connect to Vlan 100 and set the security level to 50. This would only apply when you haven't applied ACLs to the interfaces. You should be able to write out an ACL stating that the servers can reach different subnets on the ports need sourcing from each server. This will be a tedious process depending on how many servers and how granular you want to get.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.