I've recently come into the firewall world with the Cisco ASA and have done troublshooting on it, togheter with the creation of changes. I have installed a few on smaller sites. I'm now facing a challenge that would require me to look into a design. I must collaborate with some other system engineers on this.
I have uploaded a rough drawing from Visio to illustrate the design, we have 2 data centers, one is active and one is standby. On the active data center we will install 2 ASA's for HA and the backup data center will have 1 ASA. Our data centers are connected to a controlled WAN 'Our Wan' with other sites, each site will have a local ASA firewall. The point is to have the sites be able to reach the data centers and the internet ofcourse. I suppose here we can make ACL's on the ASA to control who can access what in the data center and to the internet. I still need specifics on which type of traffic should be allowed from these sites towards the data center & the internet.
I would consider this controlled WAN as a security level 100 in the ASA configuration, would this be correct? How would it be setup then for the ASA on the sites. Since they will have a interface to the local LAN of that sites and one to the WAN. I'm not sure on how i would configure the interface on the ASA in the data center.
There are other sites aswell who will connect via the public internet, these will be VPN tunnels. I would configure them as Site to Site IPSEC tunnels because on the sites there will also be an ASA. How do i control that these tunnels can reach certain parts of the network, i would say the DMZ with the servers and the other sides on the WAN. Would i need to create ACL's on the Main Data center firewall per VPN tunnel?
ASA used in the process:
ASA 5506 w Firepower: VPN locations over the internet
ASA 5512 w Firepower: Sites who will have less then 20 Mb connection speed
ASA 5515 w Firepower: Sites who have 50 Mb connection speed
ASA 5525 w Firepower: Data center sites
I guess the way you implement the ACLs on the different sites depends mainly on how controlled the traffic needs to be between your INTERNAL sites (sites behind VPN also).
With regards to the remote sites I would consider doing the LAN interface ACL rules the following way
The above is just a suggestion on a quick glance at your picture. What I try to accomplish with the above is that
With regards to the WAN interface ACL on each site I would still probably configure an interface ACL even though we just limited traffic straight at each sites LAN interface. I imagine you dont have full control of all the devices between all the sites on your WAN so that is why I would by default block all traffic from the WAN interface of each WAN site.
What you could do I guess is use the same "object-group" we created earlier to allow ALL traffic through the WAN interface of each site and then block all other traffic inbound on the WAN interface. This would accomplish that no INTERNAL traffic would be blocked by a remote sites ASA but it would also mean that while you only allowed traffic from INTERNAL subnets it would still block any other traffic from your WAN network. I am not sure if there is any big risk of any malicious traffic beeing generated from somewhere on your WAN network that you dont control but I guess this would prevent it from getting through the different sites ASAs WAN interfaces while still allowing traffic between different INTERNAL subnets.
All of the above that I have suggest would probably better apply to all the different remote sites. I would imagine that you would be better of having a bit more specific/different rule set on the main firewalls (Datacenter) since I guess they would host most of your servers.
With regards to the VPN related ACLs I guess your situation would already be solved by the above LAN interface ACLs that I suggested. Since the rules on each VPN remote sites LAN interface would block all INTERNAL traffic for which there is no specific rule this would mean no unintended traffic would even go through the VPN connections and to the DATACENTERS and INTERNAL subnets behind them.
If you were to go with another approach that would not control the traffic generated from the LANs (behind the VPN connections) at all then you would naturally want to control the traffic on the DATANCENTER ASA.
If you prefer that you handle all traffic control on the WAN interface ACL of the DATACENTER ASA then you would need to change one default setting of the ASA. You would need to add the command
no sysopt connection permit-vpn
With the above command you will be able to create the rules for the remote sites straight in the WAN interface (inbound) ACL of the DATACENTER ASA. Just like rules for any inbound traffic/connections from the Internet. I many situations I prefer this approach myself.
Without this command (default setting is "sysopt connection permit-vpn") the ASA will by default allow ALL traffic that is coming through a VPN connection that is configured on the ASA. Even if you have a WAN interface ACL that blocks all traffic but the ASA is on the default setting with regards to the above command then the traffic will go through the ASA.
Your other option is to leave the default setting on the ASA and use a VPN Filter ACL per VPN connection if possible. This will let you control each VPN connections connections to your INTERNAL subnets with a separate VPN Filter ACL. In some situations this is also a good solution. I guess I would personally prefer this approach if there is several sites connecting through VPN.
I noticed this post was made almost a month ago so I am not sure if you checking this anymore but hope this helps :)