cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

396
Views
0
Helpful
1
Replies
dstehle
Beginner

ASA selection

My customer is designing an architecture with two networks - internal and external. In between these two networks will be a DMZ where a layer 7 gateway device will reside. This layer 7 device (which could from Layer 7 - SecureSpan SOA Gateway - see http://www.layer7tech.com/products/soa-gateway) will act as a mediation and policy enforcement point between the internal and external networks using XML. This device as required as there is a requirement for different applications to send and receive different data. The XML is used to accomplish this.

My customer would want to use ASA firewalls to bookend the DMZ. Their question, "Do the ASA 55XX firewalls communication via XML and are they a layer 7 device?".

Also, are two firewalls required? Which ASA would work?

Thanks,

David Stehle

1 REPLY 1
stojanr
Beginner

While ASA can provide inspection of certain protocols, it does not provide XML inspection. If you configure your traffic policies correctly, you can allow XML communication from outside to DMZ and from DMZ to inside, depending on your requirements.

For your deployemnt, one firewall would be sufficient, but you could use two identical appliances to provide high availability.

Choosing the right firewall depends on other parameters:

- what is the bandwidth required across this firewall

- do you wish to terminate VPNs on this firewall ? if so, how many ?

- how many and which physical interfaces do you require

...

You can find the current datasheets at the links below:

Small and SoHo appliances:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html

Internet Edge appliances:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html