recommendations for a firewall for use as an Internet Gateway

Discussion in 'Cisco' started by Mike Rahl, Nov 6, 2006.

  1. Mike Rahl

    Mike Rahl Guest

    Hi, all

    Could anyone recommend to me what would make the best choice for an
    Internet Gateway firewall? The requirements here are as follows:

    A. It has to be Cisco (the client doesn't like any other vendors for
    some reason)
    B. We have a total of 750 computers (including servers) behind that
    firewall. All will, in 1 form or another, require internet access.
    C. The local area network has a total of 30 VLANs (with anywhere from
    1 to 25 computers connected to each VLAN), each with a 10.x.x.x/24
    private IP address range.
    D. The firewall's job will be simultaneously (and I don't know for
    sure if this is possible, but this is the objective) to separate each
    VLAN to ensure that each cannot talk to the other, and to provide an
    Internet Gateway, complete with NAT functionality, stateful firewall
    inspection, and possibly IDS functionality

    I'm leaning towards the ASA 5520, but would the 5510 be capable of
    filling these roles (we cannot purchase used equipment, as the client
    doesn't want that)?

    Thanks very much!
     
    Mike Rahl, Nov 6, 2006
    #1
    1. Advertising

  2. In article <>,
    Mike Rahl <> wrote:

    >Could anyone recommend to me what would make the best choice for an
    >Internet Gateway firewall?


    >C. The local area network has a total of 30 VLANs


    >D. The firewall's job will be simultaneously (and I don't know for
    >sure if this is possible, but this is the objective) to separate each
    >VLAN to ensure that each cannot talk to the other, and to provide an
    >Internet Gateway, complete with NAT functionality, stateful firewall
    >inspection, and possibly IDS functionality


    >I'm leaning towards the ASA 5520, but would the 5510 be capable of
    >filling these roles


    No.

    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

    Notice that the VLAN limit on the 5510 is 10 for the base unit,
    25 if you use the Security Plus edition. The 5520 supports 100 VLANs.


    > separate each VLAN to ensure that each cannot talk to the other


    Is that as in "The VLANs can never talk to each other", or
    "The VLANs must absolutely be able to talk to each other, but in
    strictly controlled ways?"

    > B. We have a total of 750 computers (including servers) behind that
    > firewall. All will, in 1 form or another, require internet access.


    The previous question together with this leads to the question of
    what throughput you need -- VLAN to VLAN and VLANs to Internet ?
    And what interfaces?

    Notice, for example, that the 5510 has no gigabit ports at all, so
    if gigabit is needed in-house now or in the reasonable future, the 5510
    is not an appropriate choice. And if there is gigabit in the offing,
    check out the throughput figures.

    But as you mentioned IDS, also look way down the table to the IPS
    throughputs: those might not be enough for the situation, especially
    if each VLAN must be IPS'd instead of just the public interface.


    > B. We have a total of 750 computers (including servers) behind that
    > firewall. All will, in 1 form or another, require internet access.


    You need redundancy plans. You don't want the ASA to be a single point
    of failure. With that many users, I wouldn't want the WAN
    router to be a single point of failure either, which in turn implies
    you need concrete plans about how to get the ASA to play nicely with
    whatever WAN redundancy you are thinking of.
     
    Walter Roberson, Nov 6, 2006
    #2
    1. Advertising

  3. Mike Rahl

    Mike Rahl Guest

    I am unfortunately somewhat constrained in what I can do here for
    several reasons:

    1. The client isn't willilng to pay, in any way, for redundancy. He
    has exactly 1 Cisco 3560 switch, acting as both router and switch, per
    region (he has 4 regions). He is connecting between 6 and 20 CE 500
    switches to each Catalyst 3560, and on those CE 500 switches, he has
    PCs and servers. There is no way to implement redundancy here, as the
    client does not want to use routers, nor multiple redundant switches at
    the core layer.
    2. The client is looking for the simplest possible solution. He has
    little understanding of Cisco equipment (however much he insists on its
    use), and is only interested in providing basic connectivity. However,
    at the same time, he wants specifically to completely prevent
    communication between VLANs, however, he does not want to purchase any
    form of router. I had suggested we simply deploy the Catalyst 3560s as
    layer 2 only, but he doesn't like that option; he wants them to provide
    the routing, and wants to use Access Lists on the switches to prevent
    the approximately 30 VLANs from talking to each other.

    This is a remarkably unreasonable client, however, the contract was
    signed well before I got involved, so I'm kind of stuck with it, and
    trying to find something I can do that will fit the scenario. Given
    the client will require some sort of firewall behind his Internet
    connection, this is why I was thinking of the ASA 5520.

    I appreciate your advice Walter. If you have any other suggestions
    with the input I have provided, I would greatly appreciate them.


    Walter Roberson wrote:
    > In article <>,
    > Mike Rahl <> wrote:
    >
    > >Could anyone recommend to me what would make the best choice for an
    > >Internet Gateway firewall?

    >
    > >C. The local area network has a total of 30 VLANs

    >
    > >D. The firewall's job will be simultaneously (and I don't know for
    > >sure if this is possible, but this is the objective) to separate each
    > >VLAN to ensure that each cannot talk to the other, and to provide an
    > >Internet Gateway, complete with NAT functionality, stateful firewall
    > >inspection, and possibly IDS functionality

    >
    > >I'm leaning towards the ASA 5520, but would the 5510 be capable of
    > >filling these roles

    >
    > No.
    >
    > http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
    >
    > Notice that the VLAN limit on the 5510 is 10 for the base unit,
    > 25 if you use the Security Plus edition. The 5520 supports 100 VLANs.
    >
    >
    > > separate each VLAN to ensure that each cannot talk to the other

    >
    > Is that as in "The VLANs can never talk to each other", or
    > "The VLANs must absolutely be able to talk to each other, but in
    > strictly controlled ways?"
    >
    > > B. We have a total of 750 computers (including servers) behind that
    > > firewall. All will, in 1 form or another, require internet access.

    >
    > The previous question together with this leads to the question of
    > what throughput you need -- VLAN to VLAN and VLANs to Internet ?
    > And what interfaces?
    >
    > Notice, for example, that the 5510 has no gigabit ports at all, so
    > if gigabit is needed in-house now or in the reasonable future, the 5510
    > is not an appropriate choice. And if there is gigabit in the offing,
    > check out the throughput figures.
    >
    > But as you mentioned IDS, also look way down the table to the IPS
    > throughputs: those might not be enough for the situation, especially
    > if each VLAN must be IPS'd instead of just the public interface.
    >
    >
    > > B. We have a total of 750 computers (including servers) behind that
    > > firewall. All will, in 1 form or another, require internet access.

    >
    > You need redundancy plans. You don't want the ASA to be a single point
    > of failure. With that many users, I wouldn't want the WAN
    > router to be a single point of failure either, which in turn implies
    > you need concrete plans about how to get the ASA to play nicely with
    > whatever WAN redundancy you are thinking of.
     
    Mike Rahl, Nov 6, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mohamad Eslami
    Replies:
    1
    Views:
    751
    Andrew Zhilenko
    May 25, 2004
  2. Frank
    Replies:
    3
    Views:
    4,963
    Andre Wisniewski
    Sep 30, 2004
  3. Rebeccaliu
    Replies:
    0
    Views:
    2,485
    Rebeccaliu
    Nov 1, 2006
  4. John
    Replies:
    0
    Views:
    1,240
  5. Giuen
    Replies:
    0
    Views:
    951
    Giuen
    Sep 12, 2008
Loading...

Share This Page