Cisco ASA Config for PCI Compliant Office
When it comes to PCI compliance, the number one thing you want to do is find every way you can to limit your scope. You're already making good headway with your network segmentation by actually thinking about what systems are not involved and moving them somewhere else. In a perfect world, your PCI environment would be housed in a physically separate network, however that is not a requirement. The best way to conceptualize your segmentation is around the idea of a broadcast domain. There are actually a lot of different ways you can adequately get the necessary level of segmentation,
- Placing your in-scope equipment on a separate subnet
- Placing your in-scope equipment on a private VLAN in the same address space as out-of-scope
- Installing a transparent firewall between in-scope and out-of-scope
- etc
All that being said, you should be able to get away with using the 5505 as your primary isolation device, and hanging other switches off of it if you need additional ports. You just want to make sure that any traffic from the inside
VLAN passes through the firewall module before entering the insidepci
VLAN.
The PCI Security Standards Council has a document called Navigating the PCI DSS v2.0. I would highly recommend reading through it so you can better understand the intent of the requirements. That should help you frame the requirements properly for compliance.
Disclaimer: I am not a QSA, ASV, or ISA. Any advice I give is friendly and following it in no way implies compliance.