Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
5
Helpful
7
Replies

Cisco ASA deployment on internal LAN

HAMID HUSSAIN
Level 1
Level 1

‎03-19-2018 09:34 PM - edited ‎02-21-2020 07:32 AM

i have Created a design for data center security with having internal firewall, please help me out to configure this firewall as i am not good in security.

the design is consist of  following,

2 Nexus N3K-C3524P-10GX switches for Server farm 

2 4507 Switches 

1 DC Firewall FPR2120-BUN 

1 WS-C2960X-24PS-L Switch

Have the attach diagram for reference.

 

Labels:
Preview file
19 KB
0 Helpful
7 Replies 7

Florin Barhala
Level 6
Level 6

‎03-20-2018 02:14 AM

Hello,

 

Couple observations:

1. It seems you spent some money to provide redundancy still you have only one firewall? Are the stakeholders aware of the risk of running this one FW only?

2. How do you intend to connect the FW to both HSRP enabled core SWs? Since you have one firewall only I would link it to only one core SWs.

3. What's the role of 2960 SW? 

4. What's behind the 2960 SW? Another firewall ? Is it just one FW or cluster?

5. What's the role required for the FPR2120 box? InterVlan routing? Internet access aka SNAT?

0 Helpful

HAMID HUSSAIN
Level 1
Level 1
In response to Florin Barhala

‎03-20-2018 12:35 PM

Q1, Can e connect a 2120 Firewall to both HSRP Enabled Switches? 

Behind 2960 there is a single firewall wwhich is connecting to Router, the firewall is using for internet trafic using PAT and VPN connectivity.

FPR 2120 firewall is protecting Server farm which is connected with two N3K-C3524P-10GX Switches.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to HAMID HUSSAIN

‎03-21-2018 07:06 AM

I just reviewed your new design. It looks better if you ask me.

I think you can link the DC firewall to both 4500 SWs using a bridge group to bind two ASA interfaces. But then you will rely on STP which I wouldn't do unless this two wire requirement is very important for you.

Now let's address some old questions:
3. What's the role of 2960 SW?

4. What's behind the 2960 SW? Another firewall ? Is it just one FW or cluster?

5. What's the role required for the DC Firewall ? Internet access aka SNAT or just simulating a sort of DMZ?
0 Helpful

HAMID HUSSAIN
Level 1
Level 1
In response to Florin Barhala

‎03-26-2018 11:17 PM

Now let's address some old questions:
3. the role of 2960 switch is to connect Core switching and connectivity to Parameter firewall

4. there is only one firewall on edge of the network

5. the role of DC Firewall is provide web server proxy and Web server for the wan users 

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎03-20-2018 03:32 AM

Have you thought about a DMZ?  or do you not need one?

Please remember to rate useful posts, by clicking on the stars below.

HAMID HUSSAIN
Level 1
Level 1
In response to Dennis Mink

‎03-20-2018 12:28 PM

NO, in proposed design we do not need the DMZ

0 Helpful

HAMID HUSSAIN
Level 1
Level 1
In response to HAMID HUSSAIN

‎03-20-2018 11:14 PM

Please review, i have re deign the network.

Preview file
72 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card