Cisco ASA IPS behind ASA CSC-SSM

cisco_realm · ‎08-23-2008

Greetings!

The requirement is to design a two layered defense architecture.

The first logical layer shall include

a) Cisco ASA with CSC-SSM first and then

b) Cisco ASA with AIP-SSM

(No server farms placed between CSC-SSM and AIP-SSM)

The second layer shall include

a) FWSM in CAT6500

My query is that since all the necessary access-lists/NAT will be configured within Cisco ASA CSC-SSM (internet edge), should the access-list in the ASA AIP-SSM be 'permit ip any any' and then divert all traffic to AIP-SSM. Or should there be any additional firewall configuration in ASA with AIP-SSM.

Regards.

Marwan ALshawi · ‎08-23-2008

based on this three layres firewalls

i would sejuset u to do the following

ASA-csc url filtering Packet filtering which mean ACLs permit and deny based on L3 IPs and L4 ports and NATing as required

and try as much as possible to reduce number of nating application in ur layred topology i mean if u do nating in each firewall it gonna be a complex topology and hard to make any troubleshooting in the future

after u have done packet and url filtering

now go to the second security layer

which is the ASA-AIP

in this one inspect the prmited trafic from the edge firewall ASA-csc and do what ever inline inspection through this firewall and AIP module

filally on the FWSM do more specific filitering and NATing if required basd on ur servers

keep in mind than with FWSM all traffic is denied by defaul even from higher level to lower level interfaces not like ASA so u need for example a permit statment with ACl be applied on the inside interface to allow traffic to flow through the firewall and so on

good luck with ur defence indepth topology:)

please, if helpful Rate