We are looking at replacing our old Cisco ASA firewalls with the ASA 5545X with firepower IPS, URL and AMP in a active/standby configuration. I have attached our topology, which is HQ and three remote sites. All servers and network resources (including internet) is out of the HQ location.
I would like to use the ASA5545X Firepower IPS, URL and AMP services at the private WAN edge as well as internet edge. Here are my questions.
1. Will a pair of ASA 5545X accomplish provide this services for both Internet and Private WAN edge ?
2. How will I redirect all traffic from the remote sites through the ASA IPS, URL and AMP services before they reach network resources in Data Center 1 and 2? Do i need to terminate the private WAN connections directly on the pair of ASA and run EIGRP on the ASA, will this be best practice and design?
You can definitely use an ASA HA pair to do what you are asking. Whether or not the 5545X model is sufficient depends largely on the amount of traffic being inspected and the policies your create. You should work with your partner or Cisco SE to develope a detailed design.
In general, you should think about exempting some traffic from inspection. For example, branch to Intranet traffic should not generally need URL filtering. In fact, I generally recommend customers consider Cisco Umbrella (former OpenDNS product) for content filtering vs. the FirePOWER URL filtering as OpenDNS is more flexible and has better coverage.
As far as traffic steering through the ASAs, a lot depeneds on the details of how your WAN setup works. For instance, are your private WAN routers PE routers performing MPLS tagging? If your IGP is EIGRP, are you depending on any features that are not supported on the ASA? are their other features (Netflow, PBR, AVC, QoS, WaaS etc.) on your WAN routers that might be better left on the router platform. etc. etc.
I usually recommend that we let routers handle routing and only route on ASAs to the least extent necessary to accomplish the required functionality.