Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
3
Replies

ASA- AIP SSM design consideration

Go to solution
followurself
Level 1
Level 1

‎01-13-2010 03:41 AM - edited ‎03-10-2019 04:51 AM

Hello

will appreciate if anyone can please suggest

we have 2 ASA 5520 with SSM modules in. behind ASA there is a CSS load balancer. this load balancer have ssl module and ssl certificate installed. since the communication from the internet to loadbalancer VIP is SSL , the SSM module configured to monitor the communication is limited since everythng is encrypted.

the communication between LB and server farm is not encryted but there is no IPS inbetween. can you suggest if someone has used the below design

int 1(public) ----ASA1----- LB 1 (dmz interface) -------- inside interface of ASA1 ( inside) where all web server resides

hence the traffic comes on port 443 for the VIP address. A static on ASA 1forwards the traffic to its dmz interface where LB 1 resides, then traffic from LB 1 unencrypted goes to the inside interface where all web serverfarm resides. by doing so we can configure SSM module to monitor the traffic from LB to webserverfarm since its between the 2 interfaces of ASA. and also we can have access -list on ASA allowing the traffic only between LB and webservers

will this be a concern on ASA performance?

is this a recommended design

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎01-13-2010 03:15 PM

This is a valid design and it should work.

The ASA will be seeing the traffic twice and the interface that is in fron of the LB will see the incoming traffic from the LB twice so I am not sure it is efficient. Please check how much traffic the interfaces will be seeing to see if the ASAs can handle it.

Since the LB will be the one actually pulling pages and talking to your servers why don't you have him go through the ASA but the outside users not going through it when talking to the LB?

If you are worried for DOS against the LB and you don't have another firewall to use then I guess it is valid design.

I hope it helps.

PK

View solution in original post

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to followurself

‎01-14-2010 06:40 AM

Yes, I see your point.

I feel sorry for the physical interface that it will see traffic twice on its subinterfaces, but I believe this is a valid scenario given you restrictions.

PK

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎01-13-2010 03:15 PM

This is a valid design and it should work.

The ASA will be seeing the traffic twice and the interface that is in fron of the LB will see the incoming traffic from the LB twice so I am not sure it is efficient. Please check how much traffic the interfaces will be seeing to see if the ASAs can handle it.

Since the LB will be the one actually pulling pages and talking to your servers why don't you have him go through the ASA but the outside users not going through it when talking to the LB?

If you are worried for DOS against the LB and you don't have another firewall to use then I guess it is valid design.

I hope it helps.

PK

0 Helpful

Go to solution
followurself
Level 1
Level 1
In response to Panos Kampanakis

‎01-14-2010 03:44 AM

thanks for the email

i am not sure how to give the rating here??

what i am thinking is to create a trunk interface on ASA, connect one more interface from CSS (LB ) to that switch and have all servers connected to the switch in a diff vlan with their gateway to be ASA. this way 2 interfaces of CSA will be used one to receive and one to send with tagging on ASA

Thanks

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to followurself

‎01-14-2010 06:40 AM

Yes, I see your point.

I feel sorry for the physical interface that it will see traffic twice on its subinterfaces, but I believe this is a valid scenario given you restrictions.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card