Solved: ASA design

mohammedrafiq · ‎08-31-2016

Hi,

We have currently a Checkpoint external firewall internet facing, behind we have Cisco ASA for VPN ( for external users for remote access)

Now we have requirement to replace these two old firewalls with new Cisco ASA 5555-X firewall and merge both firewalls ( check point and old ASA) into new 5555-X ASA.

After having discussion with network team, they are suggesting this is not a good design and might be security risk by combining both external internet facing firewall and remote access VPN ASA into one ASA.

Please can you share your opinion on this approach and if anyone has this kind of similar setup?

Regards,

bezcomservices · ‎08-31-2016

Both designs are valid, with cost and flexibility usually becoming the deciding factor.

Your current design is essentially a single firewall with a remote access VPN sitting behind a firewall (unless you ommitted that this is also an inside firewall).
The VPN ASA does not perform any firewall functions - its a remote access gateway, and there really is no point in having this behind the checkpoint.
VPN connections are encrypted, you wouldnt be inspecting the encrypted SSL traffic anyway, and you just put more load on the checkpoint.

That being said, there are advantages to separating the functionality.

You can run separate code on the ASA acting as a firewall and the VPN ASA.
This is usefull in scenarios where you may need a new security feature in one code that introduces a VPN bug, allowing you to utlise the new feature set whilst not impacting VPN.
Essentially allowing you to run the most stable code for the features and specific functionality you require.

It also allows you to perform upgrades on the VPN ASA without impacting your firewall edge, and vise versa.

You also have the option down the track to deploy a second FW ASA and run it in clustering for increase throughput.
If you combine the SSLVPN and FW functionality you can only deploy HA in an Active / Standby model.

The best place to start would be to review Cisco validated internet edge design and go from there:
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2015/Internet_Edge_Design_Oct2015.pdf

View solution in original post

bezcomservices · ‎08-31-2016

Both designs are valid, with cost and flexibility usually becoming the deciding factor.

Your current design is essentially a single firewall with a remote access VPN sitting behind a firewall (unless you ommitted that this is also an inside firewall).
The VPN ASA does not perform any firewall functions - its a remote access gateway, and there really is no point in having this behind the checkpoint.
VPN connections are encrypted, you wouldnt be inspecting the encrypted SSL traffic anyway, and you just put more load on the checkpoint.

That being said, there are advantages to separating the functionality.

You can run separate code on the ASA acting as a firewall and the VPN ASA.
This is usefull in scenarios where you may need a new security feature in one code that introduces a VPN bug, allowing you to utlise the new feature set whilst not impacting VPN.
Essentially allowing you to run the most stable code for the features and specific functionality you require.

It also allows you to perform upgrades on the VPN ASA without impacting your firewall edge, and vise versa.

You also have the option down the track to deploy a second FW ASA and run it in clustering for increase throughput.
If you combine the SSLVPN and FW functionality you can only deploy HA in an Active / Standby model.

The best place to start would be to review Cisco validated internet edge design and go from there:
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2015/Internet_Edge_Design_Oct2015.pdf