topic Re: ASA & IPS in Network Security

ASA & IPS

estelamathew — Mon, 11 Mar 2019 19:44:38 GMT

Hello Dear's,

Please see the attached design and confirm, what i m thinking is correct and it is fully redundant.

Web Server NIC's are in active/standby mode

Full DMZ is in 1 subnet

IPS-1 and IPS-2 will be having inline interface pairing as per the diagram attached

If primary ASA fails,,the packets will be routed by DMZ-Switch-2 to Secondary ASA.

Packet flow will ------> web server----NIC-1-----switch-1----switch-2----secondary ASA

Thanks

Re: ASA & IPS

PAUL GILBERT ARIAS — Thu, 03 Feb 2011 23:39:46 GMT

I don't think that is a fully redundant design. If the cables marked as 3 or 4 fail the communication will get interrupted. There's got to be redundant links all over.

Re: ASA & IPS

Jennifer Halim — Fri, 04 Feb 2011 02:01:21 GMT

Unfortunately, ASA failover does not work in that fashion.

ASA can only have 1 active firewall at a given time, and the redundancy is provided when the ASA actually fails over from the active to the standby ASA when the failure actually occurs on the ASA firewall, not when other devices in the network fails

When the web server fails over and traffic is actually being routed towards the secondary standby ASA, the standby ASA will drop the packet because standby ASA does not route nor inspect any traffic. Within the ASA failover pair, there is only 1 active ASA at any given time as well as only 1 active IP Address. The ip address follows the active ASA firewall.

For example:

IP address of 10.1.1.1 is currently active on the primary ASA, and when primary fails over to the secondary ASA, secondary ASA becomes active and it resumes the ip address of 10.1.1.1. The standby ip address normally assigned to the standby ASA is only used for management purposes.

Hope that helps.

Re: ASA & IPS

estelamathew — Fri, 04 Feb 2011 08:07:09 GMT

Hello Experts,

You''ll are perfect.

Now chk the attached diagram and please confirm the routing & switching and redundancy are perfect,?? If not please suggest me according to ur expierience.

IPS-1 inline interface pair 1 and 3, 2 and 4

IPS-2 inline interface pair 1 and 3, 2 and 4.

Thanks,

Re: ASA & IPS

Jennifer Halim — Fri, 04 Feb 2011 12:31:20 GMT

That looks perfect now. Just to confirm again that only the active ASA will be passing traffic, so traffic will always be routed to only the active ASA.

Re: ASA & IPS

PAUL GILBERT ARIAS — Fri, 04 Feb 2011 14:00:22 GMT

now you got it.

Re: ASA & IPS

estelamathew — Fri, 04 Feb 2011 14:07:17 GMT

Hello Dears,

Yes only 1 ASA will be active either ASA-1 or ASA-2,
I have prepared new design with 1 IPS in DMZ in which i will configure the inline vlan interface pair in IPS.

Please have a look at the attached,

Re: ASA & IPS

PAUL GILBERT ARIAS — Fri, 04 Feb 2011 14:31:50 GMT

This new design doesn't seem as soo good as the one before. There are two week points. It will be better to have to cables for each ASA going to each switch. If you have an extra interface on each ASA you can configure redundant interfaces which will make two physical interfaces work as one that way you can cable two interfaces of each ASA going to each switch on VLAN 120.

Check the attachment.

Re: ASA & IPS

Jennifer Halim — Fri, 04 Feb 2011 16:53:22 GMT

This design looks fine to me.

As Paul has advised, you can further drill down on redundancy. It's just how far you would like to make the network redundant.

Re: ASA & IPS

estelamathew — Fri, 04 Feb 2011 17:04:01 GMT

Hello Experts,

I have prepared the 2nd design becz i may be runnng in shortage with 1 No's switch, According to ur redundant interface configuiration it is not possible becz i m running shortage of interface on ASA too. Can u link me any redundant interface configuration example on ASA.

Can u confirm me with 2nd design whether there will any issue with routing and swithching or redundancy. If u say about the redundant interface then in 1st design also i have only 1 interface going to 1 switch.

Thanks

Re: ASA & IPS

PAUL GILBERT ARIAS — Fri, 04 Feb 2011 17:11:47 GMT

Here is the link for redundant interface:

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838

I don't think you second design will cause issues.

Re: ASA & IPS

estelamathew — Fri, 04 Feb 2011 17:52:40 GMT

Hello Dear's,

I have 1 doubt in my 2nd design,

If i m doing interface pairing insted of vlan pairing on IPS (Right side 100 and 200 from NIC B ) and (Left side 100 and 200 from NIC A), suppose if Active ASA fails still the packets from NIC B will flow to Active ASA (previous standby) without any issues.

The above query is about interface pairing in IPS, what i know abt interface pairing is ,, it is just forwarding packets to out interface of the pair.i.e (Right side vlan 200 on IPS from NIC B ).

Thanks

Re: ASA & IPS

estelamathew — Sat, 05 Feb 2011 16:15:41 GMT

Hello, Jennifer/Paul

Waiting for ur last reply dear's,

Thanks

Re: ASA & IPS

Jennifer Halim — Sat, 05 Feb 2011 17:04:41 GMT

There are 2 options in configuring IPS with interface pairing:

1) Connect each of the IPS interface to 2 different switches.

2) If you need to connect both IPS interfaces to 1 switch, you are correct, both needs to be in different VLAN, and the default gateway needs to be on the opposite VLAN.

For example:

Inside network: vlan 100 (10.10.10.0/24), eg: host A connects to vlan 100 with ip address of 10.10.10.5 and its default gateway is 10.10.10.1 (ASA inside interface).

ASA inside interface: vlan 200 (10.10.10.1)

IPS interface 1: vlan 100

IPS interface 2: vlan 200

Hope this answers your question.

Re: ASA & IPS

estelamathew — Sat, 05 Feb 2011 20:35:12 GMT

Hello Jennifer,

Cool Explanation.......

I have attached new design with added 1 more switch with full redundant design, as client is running in stock of switches.

Jennifer if i m wrong please correct me , My each IPS pair is going on different switch so they can be in same vlan. If i m wrong then which interface will be in which vlan please guide.

IPS-1:

Pair 1 and 3 ( ASA-SW-1 and DMZ-SW-1)

Pair 2 and 4 (ASA-SW-1 and DMZ-SW-2)

IPS-2

Pair 1 and 3 ( ASA-SW-2 and DMZ-SW-1)

Pair 2 and 4 (ASA-SW-2 and DMZ-SW-2)

Re: ASA & IPS

Jennifer Halim — Mon, 07 Feb 2011 09:44:57 GMT

You are absolutely correct.

If you are using different switches, then there is no issue at all as long as the only way from the web server towards the ASA and vice versa is via the IPS.

Re: ASA & IPS

estelamathew — Wed, 09 Feb 2011 17:39:21 GMT

Hello Dear's,

Inline pair IPS-1

gig0/0<------>gig0/1

gig0/2<------>gig0/3

Inline pair IPS-2

gig0/0<------>gig0/1

gig0/2<------>gig0/3

Please find the attched the previous topology and the current attached topology is not fully redundant, We missed the below conditions,

For previous topology,

IF ASA-SW1,IPS-2 and DMZ-SW-1 fails there is no connectivity (buisness down)

IF ASA-SW2,IPS-1 and DMZ-SW-2 fails there is no connectivity (buisness down)

In Current attached topology:

IF suppose ASA-SW1 and IPS-1 and DMZ-SW2 fails then there is no connectivity,(buisness down)

IF suppose ASA-SW2 and IPS-2 and DMZ-SW1 fails then there is no connectivity,(buisness down)

What can be the soluttion dears i dont think so we can do it by interface pairing,IF you'll have any ideas pls suggest,I have to try with inline vlan pairing i tried but i have some doubts,

For example IPS 4240,

I have configured gig0/0 as inline vlan pair for vlan 1 and vlan 2 and on the DMZ-SW1 i had configured trunk

what i shld configure on gig0/2,???? when i configure the same pair on gig0/2 it gives me error and i saw in user guide it is written that we should'nt configure same pair on more than 1 interface

Please please suggest .

Re: ASA & IPS

estelamathew — Thu, 10 Feb 2011 06:37:02 GMT

Hello Jennifer/Paul

I need ur help on above questions,

Re: ASA & IPS

PAUL GILBERT ARIAS — Thu, 10 Feb 2011 14:18:55 GMT

Estela one of the major concerns is that there is only one link between each switch and the ASA. If the link fails on the primary unit the traffic will fail. Let me analyze this in detail.

Re: ASA & IPS

estelamathew — Thu, 10 Feb 2011 20:47:25 GMT

Hello paul,

Attached is the new design and answer me.the problem below

DMZ-SW1 all ports will be vlan 2 and 2 trunk port connecting to ASA-SW1 & ASA-SW2
DMZ-SW2 all ports will be in vlan 4 and 2 trunk port connecting to ASA-SW2 & ASA-SW1

Can we configure the redundant interface on ASA, 1 active interface will go to the ASA-SW1 on vlan 3 and another standby interface of active ASA to ASA-SW2 in vlan 5

PUT A SCENARIO WHEN ASA-SW2 ,IPS1 and DMZ-SW1 fails

Packet will come from DMZ-SW2 from vlan 4 and it will pass to IPS it will change to vlan 5 and do a arp request for ASA-interface ,the arp request will go to the ASA-SW1 also but it will not respond becz on ASA-SW1 the ASA interface is in vlan 3 the packet will be drop and standby interface of active ASA on ASA-SW2 is in vlan 5 which is already (ASA-SW2) down according to this scenario.

How the packet will reach ASA with full redundancy without any issues. I need a solution dears,,