topic Re: Migrating DMZ from ASA to FTD in Network Security

Migrating DMZ from ASA to FTD

atsukane — Wed, 06 Sep 2023 08:28:53 GMT

Hi All,

I've been tasked with migrating DMZ from a legacy ASA to a FMC managed FTD.

Currently there's a transit LAN to route DMZ destined traffic to the ASA.

We have a 20G (2x10g) port-channel between the core switch and the FTD and all zones listed below are mapped to sub-interfaces.

My plan is to migrate both DMZ and route via the FTD INSIDE, but unsure whether this is a good idea as it's routing dirty traffic with everything else.

Initially, I thought that each zone are protected from one another unless traffic is explicitly allowed, so this is fine but more I think about it became more unsure.

Any suggestion is very much appreciated.

Before

After

Re: Migrating DMZ from ASA to FTD

Rob Ingram — Wed, 06 Sep 2023 09:55:21 GMT

@atsukane I would keep the dirty (DMZ) traffic away from the trusted (inside) networks.

You could place each Zone/DMZ etc with it's own VRF to maintain the segmentation, and route to the FTD and if permitted acess the other Zones/DMZ networks.

Or you could just move the DMZs from the core on to a separate interface of the the FTD.

Re: Migrating DMZ from ASA to FTD

atsukane — Wed, 06 Sep 2023 10:27:30 GMT

Thanks @Rob Ingram

I have not dealt with VRF in the past, so I had some reading. It's an interesting concept and seems pretty straight forward to configure on FMC.

I'll play around with it and also try separate interfaces on FTD option as well.

Re: Migrating DMZ from ASA to FTD

Rob Ingram — Wed, 06 Sep 2023 10:35:48 GMT

@atsukane VRF will be required on the switches the Zones/DMZs are connected to, this ensures segmentation. The only way these Zones/DMZs can communicate with each other is routing traffic to the FTD.

Re: Migrating DMZ from ASA to FTD

atsukane — Wed, 06 Sep 2023 12:00:10 GMT

@Rob Ingram Ah, ok that makes more sense actually, thank you.

Still trying to get head around how to get this done so I may come back with more questions.

Re: Migrating DMZ from ASA to FTD

atsukane — Mon, 18 Sep 2023 12:47:35 GMT

I've been busy with other works and just revisiting this and updated the diagram to depict interfaces/zones better than the originally posted.

Internet switch is there to split the single fibre presentations to a pair of FTDs and just passing vlans.

We are fully virtualised, aside from some physical load-balancers, and are all connected to the core switch, so the FTD is the core router for the firewalled off vlans.

Using a dummy interface and a zone on the FTD, accessing the DMZ resource over the internet was no problem, but having trouble with internal access.

Just want to make sure the below diagram, the part circled in red, is correct and possible or am I getting this all wrong?

The lazy side of me is telling me to just add the DMZ interface as sub-interface of the inside port-channel as that would be a simple solution 😄

thanks in advance

Re: Migrating DMZ from ASA to FTD

Rob Ingram — Mon, 18 Sep 2023 12:56:31 GMT

@atsukane is the DMZ physically connected to the core switch (that's what it looks like)....but there is also a grey line connecting directly to the firewall?

I personally preferring having DMZ servers connected to different switching hardware and physically connected to a different firewall interface. If the DMZ is directly connected to the core switch, then as long as they are different vrf then traffic must be routed up to the FTD and cannot access the LAN directly (unless the ACP permits it).

Re: Migrating DMZ from ASA to FTD

atsukane — Mon, 18 Sep 2023 13:16:02 GMT

Thanks @Rob Ingram DMZ are different interfaces on the firewall, sorry, the grey lines were bit confusing.

Production servers and DMZ servers are all VMs within the same vCentre, and connected via the core.

(Physically, we have Nexus switches (L2) between the core switch and the UCS chassis/hosts .)

Re: Migrating DMZ from ASA to FTD

Rob Ingram — Mon, 18 Sep 2023 16:20:38 GMT

@atsukane so if you are having problems with internal access from the new DMZ, are there Access Control Polices to explictly permit the traffic? Is routing setup correctly via the correct interfaces?

Run packet-tracer from the CLI to simulate the traffic flow and provide the output if necessary.

Any NAT rules that may unintentially translate the traffic between the DMZ and internal networks?

Re: Migrating DMZ from ASA to FTD

atsukane — Thu, 21 Sep 2023 08:51:44 GMT

Thank you @Rob Ingram I have now connected the DMZ portchannel directly to Nexus switches and it's working as expected.

Thanks again for your assistance.