Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1548
Views
4
Helpful
6
Replies

Design Help - Firewall/DMZ

Limitless1801
Level 1
Level 1

‎02-10-2014 07:53 PM - edited ‎03-11-2019 08:43 PM

Hi,

I am about to purchase two 5515-X next generation firewalls and I need to decide what to do as far as the design goes so I need some help from the experts. This appliances seem to come with 6 1Gbps ports which is enough. In our LAN, we have two 6500 running on VSS mode and we are also going to get our second ISP. Doing the obvious which is cross-connect each firewall with the two 6500s and possibly with the internet routers. Is it something else you recommend?

  • Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
  • I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
  • Using two ISPs, how do I deal with the Public-Internal NAT?

Any help is greatly appreciated. Thanks.

Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎02-18-2014 05:58 AM 

Planning  to trunk a couple interfaces and connect them to a DMZ switch; however,  how do I make that one switch redundant? Some of the vendors currently  connected do not offer a redundant link in case of failure.

Well, you could use the 6500s if you have enough free interfaces on it.  Create the DMZ VLAN on the 6500s as well as on the new DMZ switch.  On the 6500 and the DMZ switch configure the ports as trunk but only allow the single VLAN on that trunk.  Create a subinterface on the ASA and place that subinterface in the new DMZ VLAN and give it an IP.

I'll be deploying the devices as  active/standby and this is because I have VPNs configured which it is my  understanding that both devices can't be active with this type of  configuration. Can someone advise on this matter? However, the company  wants to use them both at the same time.

What the company wants isn't always what is the best solution and they should be told that, from time to time.  However, it is possible to configure the ASAs in an Active/Active setup.  This will require that the ASAs are configured in multiple context mode.  On one ASA context 1 is active while context 1 on the second ASA is in standby mode. then on the second ASA context 2 is the active context and on ASA context 2 is in standby mode.  This setup will alow the use of both ISP connections and be able to maintain VPN connections.  Keep in mind that the VPN connections will not be active on both ASAs.  It wil only be active on the active context, but will failover to the standby context if a failure occurs.

Using two ISPs, how do I deal with the Public-Internal NAT?

the ASA does not support two active default gateways, and therefore support for two ISPs is not supported in single context mode.  So if you have a requirement to use both ISP connection simultaneously then you need to have multiple contexts. Each context is a virtual firewall and completely seperate from eachother.

So, back to the active contexts.  context 1 on ASA1 is the active context and is connected to ISP1.  context 2 on ASA2 is the active context and is connected to ISP2.  You would perform NAT in the exact same way as you would in a single context ASA no hocus pocus.  The only difference is that the traffic that goes towards each context and subsiquently each ISP are not from the same subnet.  They need to be seperated and then diveded between the two contexts.

So, context 1 would have traffic for VLANs 1, 3, 5, 7, 9 and context 2 would have traffic for VLANs 2, 4, 6, 8, 10.

here is a link on how to configure active/active failover.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html#wp1163513

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Limitless1801
Level 1
Level 1
In response to Marius Gunnerud

‎02-22-2014 07:26 PM

Marius...Thank you for providing such a good feedback. I like to the idea of using the 6500 to configure the dmz vlans and connect them to the firewall. Because of their features, it will help to minimize any type of downtime.

Perhaps, you can help me with the two ISP configuration. I want to have BGP configured between the two IPSs but I have a non-portable block of IPs. I have a few questions on this regard:

  • How do I keep my existing IPs?
  • When traffic goes through the second ISP, how do I nat the traffic to keep the same public IPs? Do I have to double-NAT?

Any other feedback is greatly appreciated.

0 Helpful

sean_evershed
Level 7
Level 7
In response to Limitless1801

‎02-22-2014 08:32 PM

To multi-home your Internet to two different ISPs requires the following two items at a minimum:

- Provider Independent address space.

- Public ASN.

Double NAT will add unnecssary complexity to your network. Also it has implications for what happens when a link fails.

An ISP will drop traffic if it receives routes from its customer that are not part of its address space.

A good document explaining the concepts can be found at www.ciscolive365.com entitled ,"Enterprise Multi-Homed Internet Edge Architectures".

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Limitless1801

‎02-23-2014 11:46 PM 

How do I keep my existing IPs?

I assume you mean you mean you public IPs for your web servers?  Are these IPs NATed IPs or are you using the actual assigned outside interface IP for these servers?

This can get a little tricky.  Do you already have BGP setup facing your ISP's?  Are both links provided by the same ISP?

This will be much easier if both links are provided by the same ISP.

Could you provide a network diagram please.

Without knowing much more about your network I would think this is not possible, if the second ISP link can not route your primary ISP IPs (essentially the IPs that you are using for your web servers).  In this case you would have to manually change the IPs that your domain points to.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Limitless1801
Level 1
Level 1
In response to Marius Gunnerud

‎02-24-2014 06:09 AM

You are correct. I am referring to my existing Public IPs and the fact I have to get another address space for this implementation. I do not have BGP at this point since I only have one carrier and firewall. My preference is to move away from the last mile carrier due to some big outages in the area and get someone else (like Comcast or FPL) that has their own network. I agree with you that keeping the same ISP for both is a much simpler solution.

What's your take on doing DNS failover? Wouldn't this work as well until I re-engineer the whole BGP strategy. I currently use DNS to monitor some of my web server so in case the primary is down, it rolls over to my DR site. I'll post the diagram soon.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Limitless1801

‎02-24-2014 08:20 AM 

What's your take on doing DNS failover? Wouldn't this work as well until I re-engineer the whole BGP strategy

Yes this could be a solution. 

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card