06-19-2014 02:03 AM - edited 03-11-2019 09:20 PM
Hi All,
I am in quite the predicament, my company offers a cloud based infrastructure for customers who buy our software from us.
We have a pair of ASA 5525-X w/ IPS with multiple vLAN's for each customers (inside) and one vLAN for our outside interface - These should be contexts and we are convincing the business to make these context based.
But at the moment, one of our Sales person have sold a solution to allow a customer to have their own physical firewalls and now asked how would we go about it? The customer is commited to put in a pair of ASA 5515-X IPS devices into our Data Centres but we are quite confused on how to put their ASA behind our Edge ASA?
I can only assume we have two options:
1) We keep the NAT on our Edge Firewall and simply create another vLAN for this customer and but their Firewall behind our Edge. but then are we Double NAT-ing now?
2) We provide a seperate IP feed for this customer which goes directly into their physical firewalls which we will manage.
We do not wish to make many changes on our Edge firewall due to the amount of customers we manage so I do not know if enabling Transparent mode would work either without impacting all our customers.
The traffic we serve is mainly HTTP / HTTPs but this customer requires a VPN to keep their SQL DB's in sync with a search engine.
Any assistance would be greatly appreciated.
Thanks
Jazz
06-19-2014 02:51 AM
Hi Jazz,
Here my suggestions for your query
Options:
HTH
Regards
Karthik
06-19-2014 05:05 AM
Hi Karthik,
Thank you for the response, going with the dual FW layer option, would the site to site VPN work in that scenario as I think I would be double NAT-ing? Or just have a single NAT on the Edge FW and just open the ports for VPN on edge to enable the traffic to pass through.
Thanks
Jazz
06-19-2014 05:21 AM
Hi Jazz,
You can have the public IP NAT towards the private IP (Outside) interface of the customer FW and make the edge ASA as a pass through & NAT fw to get that work. It will work as expected. I have deployed such setup in my experience.... Except double work you do in both firewalls... nothing else is hard here... it works technically.....
HTH
Regards
Karthik
06-20-2014 08:05 AM
Hi Karthik,
How would you make the Edge ASA as pass through?
06-20-2014 08:38 AM
Hi Jazz,
Edge Firewall:
So that edge firewall will be used as pass through and NAT/PAT FW.
Dedicated Customer Firewall:
Eg: Attached with sample
HTH
Regards
Karthik
06-19-2014 05:09 AM
If you have some spare public IPs that are being routed to the outside IP of your edge ASA, you could NAT that public IP to the new customer ASAs and then establish a site to site VPN using that public IP.
Another option would be to establish site to site VPN with your edge ASA and in the crypto ACL only permit traffic to and from the required networks. Then the traffic will be routed to the new ASAs and be filtered and sent to their destination.
--
Please remember to select a correct answer and rate helpful posts
06-20-2014 08:08 AM
Hi Marius, we do have some spare public IP Addresses. but how would i create the public NAT on the customer FW, as wouldnt all the mapping of Public IP's address be pointed to the Edge ASA?
Thanks
Jazz
06-20-2014 08:39 AM
You have spare public IPs which should all either be part of the same subnet as the public IP configured on your edge ASA, or at least your ISP should be routing them to your ASA edge.
What you do then is configure a NAT statement which translates that public IP to your customer's ASA virtual (I am assuming you will have them set up in an active standby setup).
So, I would suggest (with the lack of an ASA context to use) configure a VLAN on the switch that connects to your edge ASA that is dedicated to your customer. then on your edge ASA either allocate a dedicated interface for that VLAN (this would be the best solution), If you do not have a dedicated interface to use, create another subinterface on the inside interface and allocate it to your chosen VLAN.
next create an object group that matches the virtual IP of your customer's outside interface:
object network NEW_CUSTOMER
host <CUSTOMER ASA private IP>
nat (cust_int,outside) static interface
Ofcourse depending on what services you are providing the customer, you might want to restrict the ports that are allowed either through an ACL and/or in the NAT statement.
You will also need an ACL entry allowing inbound traffic to the new customer ASA. The following will allow for remote access IPsec VPN...If you are using Anyconnect the port is 443 unless you have manually changed that.
access-list CUST_ACL extended permit udp any <CUSTOMER ASA private IP> eq 500
access-list CUST_ACL extended permit udp any <CUSTOMER ASA private IP> eq 4500
access-group CUST_ACL in interface outside
Now, if the client machines, servers...etc. behind the customer's ASAs need access to the internet for updates or whatever (keep in mind in the scenario I am laying out customers will access resources over the VPN only) you will need to translate the subnet behind the customer ASAs to the virtual outside IP of the customer ASA.
object network CUST_LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Hope I explained that well enough.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide