Hi, Kyle, Kyle Torkelson wrote: > We are replacing our End-Of-Life Sonicwall with an ASA and have some > questions regarding implementing it into our network environment. > Currently, all of our switches (access, distribution, and core) have a > default gateway that is the IP address of our Sonicwall. This > configuration isn’t recommended with the ASA since you shouldn’t bounce > traffic back through the internal interface. I know this configuration > is possible (hairpinning) with some tweaking but I believe for security > purposes we would like to avoid setting up our ASA in this manner.
Funny thing, I have a Real-IP gateway I'm trying to convert to Virtual in much this situation. As we only have two subnets on that segment, I'm in the midst of setting up two contexts on our ASA, one for each subnet, and once that's done will convert the NAC to a virtual gateway. I believe with a managed subnet and static route on the NAC (CAS) it ought to work fine, and also provide better security between the subnets as a bonus. Our server ASA is working with five contexts "hairpinning" on the protected side, isolating different classes of server from each other as well as from the rest of campus. No troubles so far. I think "hairpinning" without a separate context for each subnet could be tricky and that's probably what you've been warned against. > > So, in looking at our CAS settings, I see also that the trusted > interface default gateway is also the IP address of our Sonicwall. In > reading the CAS documentation, I see the following: > > Trusted Interface--For Virtual Gateway—This is the address of the > existing gateway on the trusted network side of the CAS. > > Untrusted Interface--For Virtual Gateway—The default gateway is the > address of the existing gateway on the trusted network side of the CAS. > > So, am I reading it right that these should both be the same value?? In > our environment, they currently are not. The untrusted interface > default gateway has a value of the IP address of VLAN1 on our core > switch. You've got me a bit confused in that I'm not sure of the location of your "core switch" but I'm assuming it's on the trusted side on the other side of the Sonicwall from your CAS. That should work, but here we've set our virtual CASs up with the default gateway settings all matching. -- Best Wishes for 2009, -- Cal Frye, Network Administrator, Oberlin College Mudd Library, x.56930 -- CIT will NEVER ask you for your password! www.calfrye.com, www.pitalabs.com "The race is not always to the swift. but to those who keep running." --Unknown.
