My customer is designing an architecture with two networks - internal and external. In between these two networks will be a DMZ where a layer 7 gateway device will reside. This layer 7 device (which could from Layer 7 - SecureSpan SOA Gateway - see http://www.layer7tech.com/products/soa-gateway) will act as a mediation and policy enforcement point between the internal and external networks using XML. This device as required as there is a requirement for different applications to send and receive different data. The XML is used to accomplish this.
My customer would want to use ASA firewalls to bookend the DMZ. Their question, "Do the ASA 55XX firewalls communication via XML and are they a layer 7 device?".
Also, are two firewalls required? Which ASA would work?
While ASA can provide inspection of certain protocols, it does not provide XML inspection. If you configure your traffic policies correctly, you can allow XML communication from outside to DMZ and from DMZ to inside, depending on your requirements.
For your deployemnt, one firewall would be sufficient, but you could use two identical appliances to provide high availability.
Choosing the right firewall depends on other parameters:
- what is the bandwidth required across this firewall
- do you wish to terminate VPNs on this firewall ? if so, how many ?
- how many and which physical interfaces do you require
You can find the current datasheets at the links below:
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 188.8.131.52Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 184.108.40.206R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...