ASA5505 Firewall/router on a stick limitations

KDog · May 09, 2017, 07:20:56 PM

Hello all,
Not really an enterprise grade question but thought I would ask here anyway. I'm not a networking guru.

Have a few small offices, they use various firewalls as routers on a stick. Works ok. One office though has an ASA5505 as the head of the stick (other offices have PfSense with 10GbE cards for a trunk).
Problems are the 5505 only has 100Mb interfaces, so all inter VLan routing is slow. It is my understanding that the 5505 can't do etherchannel either (so no large trunk or bonding to the L3 switch).
L3 switch is a Dell N4032 which has some nice 10GbE ports (which would be great to go to my server storage). VLANs require some filtering/ACL between them, so it leaves out using the L3 switches to do the interVLAN routing.

Can anyone think of a method to rid myself of these 100Mb ports? Buying a cheap second hand ASA5520 etc and run etherchannel is about where I stopped. I would build another PfSense box but 10GbE gets very costly and I have 2FA VPN which won't run under pfsense.

wintermute000 · May 09, 2017, 07:58:09 PM

Your office doens't sound large so doesn't sound like you even need 10Gb. In terms of ease, why don't you just upgrade to the newer 55xx range with gigabit?

10Gb ports on firewalls are always going to be expensive on your scale.

Dieselboy · May 10, 2017, 01:39:21 AM

The ASA has 7 100M switchports. Why not use more physical interfaces and have just one VLAN per physical interface?

What do you mean by "one office has an asa5505 as the head of the stick"?

Questions:
If your offices are small, why do you need multiple VLANs?
Again, if your offices are small, why is so much traffic being routed between VLANs ?

I am taking it that the office does not route traffic on a stick for other remote offices..

LynK · May 10, 2017, 04:04:26 PM

@diesel,

1) He may have different vlans for servers/clients. An example could be a file server/etc.

2) By head-end he means the ASA is the device that is performing the intra-vlan communication

@k-Dog. This is what I would recommend. See if your switch can perform layer 3 functions. Make vlan SVIs for your vlans, and then allow the switch to route your traffic. Then create a default static route to your ASA internal IP address.

This allows your traffic to not have to go to the ASA, but can go from Machine A -> switch -> Server

mlan · May 10, 2017, 04:19:08 PM

I agree with @LynK. Also, any L3 switch should be able to provide filtering/ACL's as well.

KDog · May 10, 2017, 05:52:39 PM

Thanks guys,

The size of an office/business is irrelevant, large amounts of data move around and the 100Mb fast ethernet is causing a restriction. All offices are interconnected with IPsec VPNs, slowest is around 30Mb/s (but that isn't relevant to this discussion). The 7 different VLANs are necessary as is the filtering.
Whilst I can easily do the L3, VLAN, ACL stuff on the switch it is not preferable, as needing to take care of multiple configurations can get messy very quickly.

I might just go with replacing the 5505 with a 5520 or 5550, then I can use etherchannel to beef up the trunk/stick. I was more checking that my initial thoughts were correct and that there wasn't an immediate perfect solution I could implement. If I could get the 2FA that is in use working with PfSense then I would probably do that.

Otanx · May 10, 2017, 07:44:25 PM

Quote from: Dieselboy on May 10, 2017, 01:39:21 AM
The ASA has 7 100M switchports. Why not use more physical interfaces and have just one VLAN per physical interface?

This. It isn't perfect load balance, but neither is an ether-channel. I think the bigger problem is the 5505 is only rated at 150Mb/s so you are not going to get much more out of it anyway.

-Otanx

Dieselboy · May 10, 2017, 10:32:28 PM

Quote from: Otanx on May 10, 2017, 07:44:25 PM
Quote from: Dieselboy on May 10, 2017, 01:39:21 AM
The ASA has 7 100M switchports. Why not use more physical interfaces and have just one VLAN per physical interface?

This. It isn't perfect load balance, but neither is an ether-channel. I think the bigger problem is the 5505 is only rated at 150Mb/s so you are not going to get much more out of it anyway.

-Otanx

Yes you're right, I forgot about that when posting. I took it that the 100M interface was hitting capacity due to the router on a stick design

Quote from: KDog on May 10, 2017, 05:52:39 PM
Thanks guys,

The size of an office/business is irrelevant

It's not irrelevant, really. Why add extra complications that are not necessary. It's no problem having users and servers on the same VLAN. I've done plenty of designs this way because the office had a small number of people and did not warrant VLANs at all. A layer 2 switch and an ASA was pretty much the list of their network devices. Adding VLANs in this design would have meant the L3 routing would have to be done by the ASA and you see where that's going.

Quote from: KDog on May 10, 2017, 05:52:39 PM
large amounts of data move around and the 100Mb fast ethernet is causing a restriction. All offices are interconnected with IPsec VPNs, slowest is around 30Mb/s (but that isn't relevant to this discussion). The 7 different VLANs are necessary as is the filtering.
Whilst I can easily do the L3, VLAN, ACL stuff on the switch it is not preferable, as needing to take care of multiple configurations can get messy very quickly.

I might just go with replacing the 5505 with a 5520 or 5550, then I can use etherchannel to beef up the trunk/stick. I was more checking that my initial thoughts were correct and that there wasn't an immediate perfect solution I could implement. If I could get the 2FA that is in use working with PfSense then I would probably do that.

Personally, I'd use a gigabit layer 3 switch to route VLANs. It's not clear why you need filtering, are you multi-tenanting? I would not use SVI ACLs as you need to maintain them accurately else weird things happen.
If you're multi-tenanting then this isn't the right way to go about making this secure, really. How much routed traffic do you need to cope with? 7 VLANs for a small office does seem excessive. Usually, the guide is to have /24's per VLAN. So if you've filled up 6 /24's / VLANs and need a 7th then it's not a small office

If you could explain a bit more, might be able to guide you a bit better.

LynK · May 11, 2017, 07:15:42 AM

QuoteThe 7 different VLANs are necessary as is the filtering.
Whilst I can easily do the L3, VLAN, ACL stuff on the switch it is not preferable, as needing to take care of multiple configurations can get messy very quickly.

This is not messy at all. It simplifies your configuration. You have experienced network engineers recommending the best solutions to your problems, and you are discrediting them. Why come on here in the first place?

In the ASA you can match on subnets too. Which makes filtering 100x more efficent, and it removes all of the garbage configuration on your ASA. Not to mention my solution requires ZERO cost, and will be a faster solution. You can also do filtering on the switch.

The ONLY reason why you would want your setup is if you wanted the ASA to filter/block/scan east/west traffic. For example, a DMZ network off of the ASA. But there are so many better solutions than the one you are running. If you wanted certain traffic to be forced to the ASA, then just do a static route of subnet X to the asa. You are wasting all of our time if you come to a forum, ask for help, then turn down the solution with no viable explanation other than 'it might be a lot of work', which is also wrong.

Your job is to find the best solution for your company, and upgrading your ASA is not the best solution.