We are replacing our End-Of-Life Sonicwall with an ASA and have some questions regarding implementing it into our network environment. Currently, all of our switches (access, distribution, and core) have a default gateway that is the IP address of our Sonicwall. This configuration isn't recommended with the ASA since you shouldn't bounce traffic back through the internal interface. I know this configuration is possible (hairpinning) with some tweaking but I believe for security purposes we would like to avoid setting up our ASA in this manner.
So, in looking at our CAS settings, I see also that the trusted interface default gateway is also the IP address of our Sonicwall. In reading the CAS documentation, I see the following: Trusted Interface--For Virtual Gateway-This is the address of the existing gateway on the trusted network side of the CAS. Untrusted Interface--For Virtual Gateway-The default gateway is the address of the existing gateway on the trusted network side of the CAS. So, am I reading it right that these should both be the same value?? In our environment, they currently are not. The untrusted interface default gateway has a value of the IP address of VLAN1 on our core switch. If these should be the same, would I be correct in changing the IP address of VLAN1 to be same as what the IP address of our Sonicwall was (knowing that I then need to make a change on the core switch to change from routing all external traffic to the ASA instead of the Sonicwall)? Is this recommended Cisco best practice for all of your access and distribution switches to have a default gateway of the IP address of VLAN1 on your core switch? Secondly, should your core switch even have to have a default gateway (since itself holds VLAN1)? Should the default gateway for both the trusted and untrusted interface be the IP address of VLAN1 on your core switch??? I'm hesitant to make changes yet as I do not want to create any loops on our core switch and cause it to spike to 99% utilization. We have been running CCA since 4.0.0 (almost 3 years now) and have never had to make any changes to our environment. I worked with Cisco TAC on this over the Holiday Break and I wasn't really sure how to classify this issue...CCA??? Core switching??? ASA??? It kind of overlaps... Any hints/tips/ideas would be greatly appreciated... <mailto:[email protected]>
<<image003.jpg>>
