Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5045
Views
10
Helpful
6
Replies

ASA Proper Deployment Topology?

Go to solution
ArchiTech89
Level 1
Level 1

‎03-17-2015 09:40 PM - edited ‎03-11-2019 10:39 PM

Simple question...

I thought in enterprise designs, one would first place a router on the edge facing the provider, put an ASA firewall inside of that -- with a segment off the ASA for the DMZ -- then place another router inside that directing traffic to the internal network.

Is this correct as a deployment strategy for enterprise edges?

What about for medium networks with perhaps a only a few additional sites connected via VPN? Or small networks with just a single site?

Is it wise/proper to place a firewall on the outside edge (next in line after the modem/DTE) from a service provider?

Thanks in advance...

jeremyNLSO
Berlin, Germany

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
David paull
Level 1
Level 1

‎03-18-2015 07:19 AM

Well, if you only have one public IP address, and you're needing VPN access for users, then yes, you're going to want to have your ASA's outside interface assigned a publicly-routable IP address.

 

Public addresses should also be assigned to all production networks in the DMZ as well.  So if you have a router as your edge device, you still want to have that ASA in the DMZ publicly-reachable.

 

Hosts in a Data Center should also have a public address as well.

 

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-18-2015 08:04 AM

There is nothing wrong with connecting your firewall direct to the ISP, it all depends on your requirements.

Bear in mind that the firewall router combination has been around for a long time and back in the day ISPs would present, for example, serial connections to the customer which firewalls don't support so a router was needed in between.

Nowadays that isn't usually a concern so if you don't need a router then there is nothing wrong with connecting the firewall directly.

You may still need a router if you are terminating multiple ISPs and want to send certain traffic via one ISP and other traffic to the other ISP although with PBR due very soon for the ASAs I suspect that will mean even less routers deployed between you and the ISP.

As with pretty much everything else around your internet edge design it really comes down to IP addressing in terms of public IPs as to what you can and can't do and David was spot on when he said if you only get a single public IP you wouldn't want a router between you and the ISP because you want that IP on your firewall.

Makes everything a lot easier.

Jon

View solution in original post

0 Helpful

Go to solution
David paull
Level 1
Level 1
In response to ArchiTech89

‎03-19-2015 04:35 AM

- If I have a /28 for example from the service provider and I want to use redundant links to the SP or whatever, I'd likely place a router on the outer edge because I need multiple interfaces.

 

I think for the most part that sounds right.  I believe that if you intend to load balance the traffic that's being passed through in any way, then the router is the man for the job.  When you say "redundant link" though, I think of something that can "be removed without loss of function" -- which an ASA is capable of.  From ciscopress: "To keep an ASA interface up and active all the time, you can configure physical interfaces as redundant pairs. As a redundant pair, two interfaces are set aside for the same ASA function (inside, outside, and so on), and connect to the same network. Only one of the interfaces is active at any given time; the other interface stays in a standby state. As soon as the active interface loses its link status and goes down, the standby interface becomes active and takes over passing traffic."

 

- And if I have that same /28 and have web, DNS, and SMTP servers in a DMZ, I'd likely perform a NAT over the ASA from my pool of public IPs. Am I getting that right?

 

If you have DNS, SMTP, servers, and they only need to be accessed internally (or internally through a s2s or gre tunnel), then they can have a private IP address.  If, however, you intend to have your DNS server, or your Web Server, for example, publicly accessible, then you would want to have them assigned a public IP address directly.

 

Q. Is it usually best practice to configure the outside interface on the ASA with a public IP, even if it's inside an edge router? Why or why not?

 

It depends on the use of the ASA.  If it's simply to filter traffic coming into / going out of your network then no.  If it's publicly accessible, meaning will be used to terminate IPSec VPN tunnels or SSL VPN connections, then yes, it should be configured with a public ip address.  That's so it is routable from the internet.

Q. If you're connecting to remote sites via VPN or MPLS or whatever, you use your own internal addressing. Such a scenario would make it more likely that you'd place a router on the edge outside of the ASA, right, because then you'd need multiple links?

Not necessarily.  Maybe there's a router (or l3 switch) behind your ASA and edge router -- and you route VPN traffic to your ASA and internet traffic through your router.  Maybe there's another router down the line further that's connected to the MPLS.  Your setup here is probably going to highly depend on the sensitivity of your network and whether you need to follow certain government regulations such as TIC Compliance.  If not, you're pretty free to do your thing, route however you see fit, and have devices for.

Q. If that IS the case and it was of the VPN variety, would one be better off terminating the VPN on the edge router or on the ASA?

The ASA in my opinion is a much better device to terminate S2S tunnels for a few reasons.  First, that's what it was designed to do.  Second, the underlying operating system is much easier to work with (in my opinion) when it comes to NAT'ing, TWICE-NAT (multiple vendors accessing the same internal resource, at the same time), testing connectivity, and capturing packets for troubleshooting purposes.

 

If you could point me to any cool discussion of various ASA scenarios I'd be grateful. I've looked, but only found an older Cisco webpage that seems pretty limited in its scope...

I'd say start making a topology and play around with s2s connections and just have fun.  I recommend GNS3 (and ASA 8.4) -- as the ASA 5505 that is available in packet tracer is rather limited...basically any time I try to do anything in packet tracer, I end up quitting because something isn't included.

Get your network up and running, monitor with Solar Winds, and just leave it running on a spare machine.  As you get interested in different topics, start adding on to your network with different topologies.

Sometimes I have fun playing around in GNS3 with some of the exact things you asked about -- trying to make things work with a small pool of one or two public IP addresses.  My organization has a pool of over 800,000 public IP addresses -- so sometimes that takes the fun out of a lot of stuff.  Sometimes it also narrows the scope down of what you can and can't do as well.  That's what GNS3 is for...fun.

 

View solution in original post

6 Replies 6

Go to solution
David paull
Level 1
Level 1

‎03-18-2015 07:19 AM

Well, if you only have one public IP address, and you're needing VPN access for users, then yes, you're going to want to have your ASA's outside interface assigned a publicly-routable IP address.

 

Public addresses should also be assigned to all production networks in the DMZ as well.  So if you have a router as your edge device, you still want to have that ASA in the DMZ publicly-reachable.

 

Hosts in a Data Center should also have a public address as well.

 

Hope that helps.

0 Helpful

Go to solution
ArchiTech89
Level 1
Level 1
In response to David paull

‎03-18-2015 10:46 PM

So,

- If I have a /28 for example from the service provider and I want to use redundant links to the SP or whatever, I'd likely place a router on the outer edge because I need multiple interfaces. Does that sound like it makes sense?

- And if I have that same /28 and have web, DNS, and SMTP servers in a DMZ, I'd likely perform a NAT over the ASA from my pool of public IPs. Am I getting that right?

Q. Is it usually best practice to configure the outside interface on the ASA with a public IP, even if it's inside an edge router? Why or why not?

Q. If you're connecting to remote sites via VPN or MPLS or whatever, you use your own internal addressing. Such a scenario would make it more likely that you'd place a router on the edge outside of the ASA, right, because then you'd need multiple links?

Q. If that IS the case and it was of the VPN variety, would one be better off terminating the VPN on the edge router or on the ASA?

If you could point me to any cool discussion of various ASA scenarios I'd be grateful. I've looked, but only found an older Cisco webpage that seems pretty limited in its scope...

Thanks in any event. My "simple question" was definitely well-answered.

jeremyNLSO
Berlin, Germany

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Go to solution
David paull
Level 1
Level 1
In response to ArchiTech89

‎03-19-2015 04:35 AM

- If I have a /28 for example from the service provider and I want to use redundant links to the SP or whatever, I'd likely place a router on the outer edge because I need multiple interfaces.

 

I think for the most part that sounds right.  I believe that if you intend to load balance the traffic that's being passed through in any way, then the router is the man for the job.  When you say "redundant link" though, I think of something that can "be removed without loss of function" -- which an ASA is capable of.  From ciscopress: "To keep an ASA interface up and active all the time, you can configure physical interfaces as redundant pairs. As a redundant pair, two interfaces are set aside for the same ASA function (inside, outside, and so on), and connect to the same network. Only one of the interfaces is active at any given time; the other interface stays in a standby state. As soon as the active interface loses its link status and goes down, the standby interface becomes active and takes over passing traffic."

 

- And if I have that same /28 and have web, DNS, and SMTP servers in a DMZ, I'd likely perform a NAT over the ASA from my pool of public IPs. Am I getting that right?

 

If you have DNS, SMTP, servers, and they only need to be accessed internally (or internally through a s2s or gre tunnel), then they can have a private IP address.  If, however, you intend to have your DNS server, or your Web Server, for example, publicly accessible, then you would want to have them assigned a public IP address directly.

 

Q. Is it usually best practice to configure the outside interface on the ASA with a public IP, even if it's inside an edge router? Why or why not?

 

It depends on the use of the ASA.  If it's simply to filter traffic coming into / going out of your network then no.  If it's publicly accessible, meaning will be used to terminate IPSec VPN tunnels or SSL VPN connections, then yes, it should be configured with a public ip address.  That's so it is routable from the internet.

Q. If you're connecting to remote sites via VPN or MPLS or whatever, you use your own internal addressing. Such a scenario would make it more likely that you'd place a router on the edge outside of the ASA, right, because then you'd need multiple links?

Not necessarily.  Maybe there's a router (or l3 switch) behind your ASA and edge router -- and you route VPN traffic to your ASA and internet traffic through your router.  Maybe there's another router down the line further that's connected to the MPLS.  Your setup here is probably going to highly depend on the sensitivity of your network and whether you need to follow certain government regulations such as TIC Compliance.  If not, you're pretty free to do your thing, route however you see fit, and have devices for.

Q. If that IS the case and it was of the VPN variety, would one be better off terminating the VPN on the edge router or on the ASA?

The ASA in my opinion is a much better device to terminate S2S tunnels for a few reasons.  First, that's what it was designed to do.  Second, the underlying operating system is much easier to work with (in my opinion) when it comes to NAT'ing, TWICE-NAT (multiple vendors accessing the same internal resource, at the same time), testing connectivity, and capturing packets for troubleshooting purposes.

 

If you could point me to any cool discussion of various ASA scenarios I'd be grateful. I've looked, but only found an older Cisco webpage that seems pretty limited in its scope...

I'd say start making a topology and play around with s2s connections and just have fun.  I recommend GNS3 (and ASA 8.4) -- as the ASA 5505 that is available in packet tracer is rather limited...basically any time I try to do anything in packet tracer, I end up quitting because something isn't included.

Get your network up and running, monitor with Solar Winds, and just leave it running on a spare machine.  As you get interested in different topics, start adding on to your network with different topologies.

Sometimes I have fun playing around in GNS3 with some of the exact things you asked about -- trying to make things work with a small pool of one or two public IP addresses.  My organization has a pool of over 800,000 public IP addresses -- so sometimes that takes the fun out of a lot of stuff.  Sometimes it also narrows the scope down of what you can and can't do as well.  That's what GNS3 is for...fun.

 

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to David paull

‎03-19-2015 05:46 AM

David

Great post.

The only thing I would add is that your organisation does have a lot of public IPs.

For many companies assigning public IPs to servers isn't practical especially with something like a /28 so a lot of them still use private addressing on their DMZ servers and then NAT with the public IPs.

Means they have more flexibility in terms of how many servers they can host.

Jon

Go to solution
ArchiTech89
Level 1
Level 1
In response to David paull

‎04-20-2015 09:01 AM

To everyone:

I am so grateful for all the killer info. I sometimes feel I'm spinning my wheels trying to get a feel. I also appreciate the suggestion to use GNS3, which I'm delving much deeper into as of late. Good stuff.

Thanks again and cheers!

jeremyNLSO
 

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-18-2015 08:04 AM

There is nothing wrong with connecting your firewall direct to the ISP, it all depends on your requirements.

Bear in mind that the firewall router combination has been around for a long time and back in the day ISPs would present, for example, serial connections to the customer which firewalls don't support so a router was needed in between.

Nowadays that isn't usually a concern so if you don't need a router then there is nothing wrong with connecting the firewall directly.

You may still need a router if you are terminating multiple ISPs and want to send certain traffic via one ISP and other traffic to the other ISP although with PBR due very soon for the ASAs I suspect that will mean even less routers deployed between you and the ISP.

As with pretty much everything else around your internet edge design it really comes down to IP addressing in terms of public IPs as to what you can and can't do and David was spot on when he said if you only get a single public IP you wouldn't want a router between you and the ISP because you want that IP on your firewall.

Makes everything a lot easier.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card