topic If you have some spare public in Network Security

ASA Behind an ASA - Topology issue

Jazz80813 — Tue, 12 Mar 2019 04:20:53 GMT

Hi All,

I am in quite the predicament, my company offers a cloud based infrastructure for customers who buy our software from us.

We have a pair of ASA 5525-X w/ IPS with multiple vLAN's for each customers (inside) and one vLAN for our outside interface - These should be contexts and we are convincing the business to make these context based.

But at the moment, one of our Sales person have sold a solution to allow a customer to have their own physical firewalls and now asked how would we go about it? The customer is commited to put in a pair of ASA 5515-X IPS devices into our Data Centres but we are quite confused on how to put their ASA behind our Edge ASA?

I can only assume we have two options:

1) We keep the NAT on our Edge Firewall and simply create another vLAN for this customer and but their Firewall behind our Edge. but then are we Double NAT-ing now?

2) We provide a seperate IP feed for this customer which goes directly into their physical firewalls which we will manage.

We do not wish to make many changes on our Edge firewall due to the amount of customers we manage so I do not know if enabling Transparent mode would work either without impacting all our customers.

The traffic we serve is mainly HTTP / HTTPs but this customer requires a VPN to keep their SQL DB's in sync with a search engine.

Any assistance would be greatly appreciated.

Thanks

Jazz

Hi Jazz,Here my suggestions

nkarthikeyan — Thu, 19 Jun 2014 09:51:48 GMT

Hi Jazz,

Here my suggestions for your query

Options:

You can have the Customer Dedicated FW on the Internet Access Segment ( Down to the internet edge router) and assign that with a dedicated public IP stack and do the management. This will take care the specific customer alone & down the line you can connect to your core LAN network layer to get connected to the inside segment. This is something like isolating it as the seperate LAN infrastructure.
If you go with dual FW layer option.... then you can use customer FW for filtering and Edge FW for doing NAT. You can just pass thru the traffic to edge fw with the private segment.

HTH

Regards

Karthik

Hi Karthik, Thank you for the

Jazz80813 — Thu, 19 Jun 2014 12:05:45 GMT

Hi Karthik,

Thank you for the response, going with the dual FW layer option, would the site to site VPN work in that scenario as I think I would be double NAT-ing? Or just have a single NAT on the Edge FW and just open the ports for VPN on edge to enable the traffic to pass through.

Thanks

Jazz

If you have some spare public

Marius Gunnerud — Thu, 19 Jun 2014 12:09:24 GMT

If you have some spare public IPs that are being routed to the outside IP of your edge ASA, you could NAT that public IP to the new customer ASAs and then establish a site to site VPN using that public IP.

Another option would be to establish site to site VPN with your edge ASA and in the crypto ACL only permit traffic to and from the required networks. Then the traffic will be routed to the new ASAs and be filtered and sent to their destination.

Please remember to select a correct answer and rate helpful posts

Hi Jazz, You can have the

nkarthikeyan — Thu, 19 Jun 2014 12:21:10 GMT

Hi Jazz,

You can have the public IP NAT towards the private IP (Outside) interface of the customer FW and make the edge ASA as a pass through & NAT fw to get that work. It will work as expected. I have deployed such setup in my experience.... Except double work you do in both firewalls... nothing else is hard here... it works technically.....

HTH

Regards

Karthik

Hi Karthik, How would you

Jazz80813 — Fri, 20 Jun 2014 15:05:08 GMT

Hi Karthik,

How would you make the Edge ASA as pass through?

Hi Marius, we do have some

Jazz80813 — Fri, 20 Jun 2014 15:08:18 GMT

Hi Marius, we do have some spare public IP Addresses. but how would i create the public NAT on the customer FW, as wouldnt all the mapping of Public IP's address be pointed to the Edge ASA?

Thanks

Jazz

Hi Jazz,Edge Firewall:On the

nkarthikeyan — Fri, 20 Jun 2014 15:38:46 GMT

Hi Jazz,

Edge Firewall:

On the edge firewall you need to allow the required VPN ports like 500,4500,esp... etc towards the dedicated customer VPN firewall.
Static NAT for the Outside Private IP of the customer firewall with the public IP on the edge firewall.
NAT/PAT for the interesting traffic from the customer firewall with public IP which will be used for Site to Site Tunnel.
Outbound ACL in edge firewall for the Site to Site access. Source will be private address that comes from customer firewall & destination will be client address.

So that edge firewall will be used as pass through and NAT/PAT FW.

Dedicated Customer Firewall:

Peer address would be on the actual public IP of the Customer site Firewall....
As usual rest all other things will be same phase 1 , phase 2 parameters, cryptomap.

Eg: Attached with sample

HTH

Regards

Karthik

You have spare public IPs

Marius Gunnerud — Fri, 20 Jun 2014 15:39:26 GMT

You have spare public IPs which should all either be part of the same subnet as the public IP configured on your edge ASA, or at least your ISP should be routing them to your ASA edge.

What you do then is configure a NAT statement which translates that public IP to your customer's ASA virtual (I am assuming you will have them set up in an active standby setup).

So, I would suggest (with the lack of an ASA context to use) configure a VLAN on the switch that connects to your edge ASA that is dedicated to your customer. then on your edge ASA either allocate a dedicated interface for that VLAN (this would be the best solution), If you do not have a dedicated interface to use, create another subinterface on the inside interface and allocate it to your chosen VLAN.

next create an object group that matches the virtual IP of your customer's outside interface:

object network NEW_CUSTOMER
host <CUSTOMER ASA private IP>
nat (cust_int,outside) static interface

Ofcourse depending on what services you are providing the customer, you might want to restrict the ports that are allowed either through an ACL and/or in the NAT statement.

You will also need an ACL entry allowing inbound traffic to the new customer ASA. The following will allow for remote access IPsec VPN...If you are using Anyconnect the port is 443 unless you have manually changed that.

access-list CUST_ACL extended permit udp any <CUSTOMER ASA private IP> eq 500

access-list CUST_ACL extended permit udp any <CUSTOMER ASA private IP> eq 4500

access-group CUST_ACL in interface outside

Now, if the client machines, servers...etc. behind the customer's ASAs need access to the internet for updates or whatever (keep in mind in the scenario I am laying out customers will access resources over the VPN only) you will need to translate the subnet behind the customer ASAs to the virtual outside IP of the customer ASA.

object network CUST_LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

Hope I explained that well enough.

Please remember to select a correct answer and rate helpful posts