Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

need some help to properly set up, segregate and secure a network with an ASA 5505

Status
Not open for further replies.

texwiz

Technical User
May 17, 2016
2
US
Hello,

I need some help to properly set up, segregate and secure a network.

The networking equipment consists of a Cisco ASA 5505 as the main firewall/DHCP server, a few Layer 2 switches and 2 Cisco WAP-371-A-K9 operating in a cluster.

Here is what we have:

Windows Server 2012 R2 and about 10 joined PCs on the server's domain. These PCs need to be redirected to the Windows server as their DNS server in order to function properly. We also have wireless PCs/Tablets/Phones that need to access the server.
10 IP cameras with a NVR.
A Networked Printer/Scanner/Fax machine.
Guest PCs, Guest tablets, Guest smartphones.
Smart TVs, Home automation devices, etc...

I do not believe that it is a good idea to throw all the devices on one single VLAN. Now from thereon, I get confused as to how to properly set up the network.

I originally thought that I should have 4 VLANs:

VLAN1(most trusted): Windows server and all PCs/tablets/phones/devices that need to access the server. Ports 443 and 4125 will need to be opened for remote access.
VLAN2: IP Cameras and NVR with a port opened for the NVR to be remotely accessible.
VLAN3: Home Automation, WiFi Garage door Opener, Magic Jack Devices, etc...
VLAN4(least trusted): Smart TVs, Network Printer, Guest PCs, Guest Tablets Guest Phones, etc...

Now this being said, devices in more secure VLANs should be able to access devices in less secure VLANs, but not vice versa.

Your thoughts and recommendations are highly appreciated.
Many thanks!


 
An easy setup would just be to manipulate the security levels of the VLANs/interfaces.

For example, highest security to lowest:

Set VLAN1 as 100
Set VLAN2 as 75
Set VLAN3 as 50
Set VLAN4 as 25

Default rules on the ASA should allow traffic from a higher security interface to any lower security interface.

If you want, you could set any interface to the same security level with same-security-traffic permit inter-interface (this is also in the interface config of the ASDM as "Enable traffic between two or more interfaces which are configured with the same security levels"

If you add in any specific access rules to the interface/VLAN, though, I believe that goes out the door.
 
Do you think segregating VLANs will provide enough security?
Furthermore, how should i set up the WLANs? one SSID for VLAN1 and another for VLAN4?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top