5

enter image description here

Having attempted to research this I’m still uncertain of where best to place firewalls in an existing network due to needing to retain a common vlan between 2 core sites. The network has the following requirements:

  • Redundancy between 2 x corporate sites to allow network based internet access with L2 adjacency for HSRP between the Cisco1921 routers so that DMZ resources and Customer LAN hosts use the vip as their default gateway
  • All internet traffic to/from the Customer LAN should be processed by the local ASA
  • All traffic from the internet to the DMZ should be processed by the ASA
  • Internet traffic and Corporate data will share the same WAN links and need to retain a common vlan that trunks between SVIs on the L3 switches

Is there a better way of achieving this instead of having to translate and explicitly send everything via the ASA firewalls between the internet access, dmz and lan users? I would prefer to have the firewalls in the direct path between the routers and switches to simplify their configs but not sure how else I can retain the HSRP communication between sites if placed other than depicted in the diagram? Does it actually matter where the ASA sits from a security perspective?

Improve this question
2
  • Can you create multiple vlans on the "common L2 trunk" between the sites? Also what is the physical link between the sites? There are a couple of different ways to accomplish this, depending on the risk that you might lose the L2 link. Also, can you change the default gateway to another device (SVI on the L3 switch)? Commented Dec 18, 2013 at 20:35
  • @Ron - Yes multiple vlans can be allowed over the Trunk between sites which is like a ethernet 'wireline' service that terminates on Adva boxes that cross connect to the L3 switches. A routed option is not out of the question either but need to retain the Gateway at the router interfaces if possible in order to define demarcation from the service provider. Commented Dec 18, 2013 at 22:02

1 Answer 1

Reset to default
4

Here is a description of one solution:

Create 4 additional VLANs on the L2 trunk. Place the firewalls between the router and L3 switches, and use 3 VLANS to connect the inside, outside and DMZ interfaces, turning the firewalls into a HA (failover) pair. The 4th VLAN becomes the heartbeat link between the two firewalls.

The default gateway for the outside interface is the HSRP address. The firewalls are configured with two contexts with identical policies. Context 1 will have the primary FW on the left side of the diagram, and context 2 will have the right FW as the primary.

Users on the left side will set their default gw to contect1, and users on the right will use context 2. This will keep traffic on the local FW and also provide redundancy if the local FW fails.

Each context has a unique public address (and NAT configuration) so that inbound traffic always goes to the correct FW.

The downside of this is that your DMZ devices will have two public addresses if they are located on both sides of the network. You can either: 1. Decide that the DMZ devices will always use one context regardless of their physical location 2. Use a global load balancer to direct traffic to one or the other contexts. That of course requires additional hardware and configuration.

FW Diagram

Improve this answer
0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.