Showing results for 
Search instead for 
Did you mean: 


Assistance with Cisco ASA Design



I've recently come into the firewall world with the Cisco ASA and have done troublshooting on it, togheter with the creation of changes. I have installed a few on smaller sites. I'm now facing a challenge that would require me to look into a design. I must collaborate with some other system engineers on this.


I have uploaded a rough drawing from Visio to illustrate the design, we have 2 data centers, one is active and one is standby. On the active data center we will install 2 ASA's for HA and the backup data center will have 1 ASA. Our data centers are connected to a controlled WAN 'Our Wan' with other sites, each site will have a local ASA firewall. The point is to have the sites be able to reach the data centers and the internet ofcourse. I suppose here we can make ACL's on the ASA to control who can access what in the data center and to the internet. I still need specifics on which type of traffic should be allowed from these sites towards the data center & the internet.

I would consider this controlled WAN as a security level 100 in the ASA configuration, would this be correct? How would it be setup then for the ASA on the sites. Since they will have a interface to the local LAN of that sites and one to the WAN. I'm not sure on how i would configure the interface on the ASA in the data center.


There are other sites aswell who will connect via the public internet, these will be VPN tunnels. I would configure them as Site to Site IPSEC tunnels because on the sites there will also be an ASA. How do i control that these tunnels can reach certain parts of the network, i would say the DMZ with the servers and the other sides on the WAN. Would i need to create ACL's on the Main Data center firewall per VPN tunnel?


ASA used in the process:


ASA 5506 w Firepower: VPN locations over the internet

ASA 5512 w Firepower: Sites who will have less then 20 Mb connection speed

ASA 5515 w Firepower: Sites who have 50 Mb connection speed

ASA 5525 w Firepower: Data center sites




Hi, I guess the way you



I guess the way you implement the ACLs on the different sites depends mainly on how controlled the traffic needs to be between your INTERNAL sites (sites behind VPN also).


With regards to the remote sites I would consider doing the LAN interface ACL rules the following way

  • Configure each site with an "object-group network <name>" which contains ALL your internal subnets (LANs,DMZs, etc)
  • Configure each remote sites ASAs (either in your WAN or behind VPN) LAN interface with an ACL that will block ALL traffic towards other INTERNAL subnets using the above created "object-group"
  • If there are any other external subnets/locations (WAN operator subnets, certain public IPs/subnets etc) you can create their own "object-group" for those on each ASA and use it to block traffic on in the LAN interface ACLs
  • Next allow ALL traffic in the LAN interface ACLs to "any" destination address to make sure that users have access to Internet. Since we originally blocked specific INTERNAL or EXTERNAL subnets in the start of the ACL this "any" destination rule will only apply to EXTERNAL subnets.
    • You can modify the above rule by only allowing the protocol/port which services the users need instead of allowing all TCP/UDP traffic
  • Finally you will add rules to the very top of the LAN interface ACL where you will allow specific (based on protocol and port) towards different INTERNAL LAN/DMZ subnets. These rules naturally will have to be on the top of the ACL because otherwise the previous "deny" rule that we did would blocked the traffic.


The above is just a suggestion on a quick glance at your picture. What I try to accomplish with the above is that

  • Only specific/required traffic is allowed to other LAN/DMZ subnets
  • No needless traffic leaves through the sites WAN connection so it does not cause any extra load on the different WAN connections on the local or remote sites. (even though the load might be minor)
  • All other traffic is allowed and the site specific rules towards EXTERNAL networks would be done on the ASA that hosts your EXTERNAL connection.


With regards to the WAN interface ACL on each site I would still probably configure an interface ACL even though we just limited traffic straight at each sites LAN interface. I imagine you dont have full control of all the devices between all the sites on your WAN so that is why I would by default block all traffic from the WAN interface of each WAN site.


What you could do I guess is use the same "object-group" we created earlier to allow ALL traffic through the WAN interface of each site and then block all other traffic inbound on the WAN interface. This would accomplish that no INTERNAL traffic would be blocked by a remote sites ASA but it would also mean that while you only allowed traffic from INTERNAL subnets it would still block any other traffic from your WAN network. I am not sure if there is any big risk of any malicious traffic beeing generated from somewhere on your WAN network that you dont control but I guess this would prevent it from getting through the different sites ASAs WAN interfaces while still allowing traffic between different INTERNAL subnets.



All of the above that I have suggest would probably better apply to all the different remote sites. I would imagine that you would be better of having a bit more specific/different rule set on the main firewalls (Datacenter) since I guess they would host most of your servers.



With regards to the VPN related ACLs I guess your situation would already be solved by the above LAN interface ACLs that I suggested. Since the rules on each VPN remote sites LAN interface would block all INTERNAL traffic for which there is no specific rule this would mean no unintended traffic would even go through the VPN connections and to the DATACENTERS and INTERNAL subnets behind them.


If you were to go with another approach that would not control the traffic generated from the LANs (behind the VPN connections) at all then you would naturally want to control the traffic on the DATANCENTER ASA.


If you prefer that you handle all traffic control on the WAN interface ACL of the DATACENTER ASA then you would need to change one default setting of the ASA. You would need to add the command


no sysopt connection permit-vpn


With the above command you will be able to create the rules for the remote sites straight in the WAN interface (inbound) ACL of the DATACENTER ASA. Just like rules for any inbound traffic/connections from the Internet. I many situations I prefer this approach myself.


Without this command (default setting is "sysopt connection permit-vpn") the ASA will by default allow ALL traffic that is coming through a VPN connection that is configured on the ASA. Even if you have a WAN interface ACL that blocks all traffic but the ASA is on the default setting with regards to the above command then the traffic will go through the ASA.


Your other option is to leave the default setting on the ASA and use a VPN Filter ACL per VPN connection if possible. This will let you control each VPN connections connections to your INTERNAL subnets with a separate VPN Filter ACL. In some situations this is also a good solution. I guess I would personally prefer this approach if there is several sites connecting through VPN.


I noticed this post was made almost a month ago so I am not sure if you checking this anymore but hope this helps :)


- Jouni