https://community.cisco.com/t5/network-security/asa-design/m-p/2980324#M150350 <P>Hi,</P> <P>We have currently a Checkpoint external firewall internet facing, behind we have Cisco ASA for VPN ( for external users for remote access)</P> <P>Now we have requirement to replace these two old firewalls with new Cisco ASA 5555-X firewall and merge both firewalls ( check point and old ASA) into new 5555-X ASA.</P> <P>After having discussion with network team, they are suggesting this is not a good design and might be security risk by combining both external internet facing firewall and remote access VPN ASA into one ASA.</P> <P></P> <P>Please can you share your opinion on this approach and if anyone has this kind of similar &nbsp;setup?</P> <P></P> <P></P> <P>Regards,</P> <P></P> Tue, 12 Mar 2019 08:12:49 GMT mohammedrafiq 2019-03-12T08:12:49Z https://community.cisco.com/t5/network-security/asa-design/m-p/2980324#M150350 <P>Hi,</P> <P>We have currently a Checkpoint external firewall internet facing, behind we have Cisco ASA for VPN ( for external users for remote access)</P> <P>Now we have requirement to replace these two old firewalls with new Cisco ASA 5555-X firewall and merge both firewalls ( check point and old ASA) into new 5555-X ASA.</P> <P>After having discussion with network team, they are suggesting this is not a good design and might be security risk by combining both external internet facing firewall and remote access VPN ASA into one ASA.</P> <P></P> <P>Please can you share your opinion on this approach and if anyone has this kind of similar &nbsp;setup?</P> <P></P> <P></P> <P>Regards,</P> <P></P> Tue, 12 Mar 2019 08:12:49 GMT https://community.cisco.com/t5/network-security/asa-design/m-p/2980324#M150350 mohammedrafiq 2019-03-12T08:12:49Z https://community.cisco.com/t5/network-security/asa-design/m-p/2980325#M150351 <P><BR />Both designs are valid, with cost and flexibility usually becoming the deciding factor.<BR /><BR />Your current design is essentially a single firewall with a remote access VPN sitting behind a firewall (unless you ommitted that this is also an inside firewall).<BR />The VPN ASA does not perform any firewall functions - its a remote access gateway, and there really is no point in having this behind the checkpoint.<BR />VPN connections are encrypted, you wouldnt be inspecting the encrypted SSL traffic anyway, and you just put more load on the checkpoint.<BR /><BR />That being said, there are advantages to separating the functionality.<BR /><BR />You can run separate code on the ASA acting as a firewall and the VPN ASA.<BR />This is usefull in scenarios where you may need a new security feature in one code that introduces a VPN bug, allowing you to utlise the new feature set whilst not impacting VPN.<BR />Essentially allowing you to run the most stable code for the features and specific functionality you require.<BR /><BR />It also allows you to perform upgrades on the VPN ASA without impacting your firewall edge, and vise versa.<BR /><BR />You also have the option down the track to deploy a second FW ASA and run it in clustering for increase throughput.<BR />If you combine the SSLVPN and FW functionality you can only deploy HA in an Active / Standby model.<BR /><BR />The best place to start would be to review Cisco validated internet edge design and go from there:<BR /><A href="http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2015/Internet_Edge_Design_Oct2015.pdf">http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2015/Internet_Edge_Design_Oct2015.pdf</A></P> <P></P> Wed, 31 Aug 2016 16:32:19 GMT https://community.cisco.com/t5/network-security/asa-design/m-p/2980325#M150351 bezcomservices 2016-08-31T16:32:19Z