I have a hub and spoke topology. A total of 3 spokes all on private WAN pointing to the HUB. The hub has subinterfaces for each site with 802.1Q tagging so I'm assuming it's some type of L2 MPLS or VPLS WAN.
The issue is the internet connection is simply another subinterface on the edge router. Traffic comes in from one of the private spokes and the router defaults to the internet out a subinterface.
The problem is I need to implement an ASA firewall. If the traffic comes in from the WAN subinterfaces I need to default to the ASA, but the ASA needs to default back to the router after inspection...
Hence why I'm confused...Can someone please help with this design. Has anyone seen this?