Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
133
Views
0
Helpful
1
Replies

Edge Design Confusion ASA

Drago Benedict
Level 1
Level 1

‎12-24-2016 06:37 PM - edited ‎03-12-2019 06:10 PM

I have a hub and spoke topology.  A total of 3 spokes all on private WAN pointing to the HUB.  The hub has subinterfaces for each site with 802.1Q tagging so I'm assuming it's some type of L2 MPLS or VPLS WAN.  

The issue is the internet connection is simply another subinterface on the edge router.  Traffic comes in from one of the private spokes and the router defaults to the internet out a subinterface.   

The problem is I need to implement an ASA firewall.  If the traffic comes in from the WAN subinterfaces I need to default to the ASA, but the ASA needs to default back to the router after inspection...

Hence why I'm confused...Can someone please help with this design.  Has anyone seen this?  

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎12-25-2016 12:54 AM

What kind of services are you using on the Hub? If you don't do an fancy routing like DMVPN/FlexVPN/GETVPN and you don't need very flexible QoS, then it could be the easiest to just replace the router with the ASA. The ASA can also be configured with subinterfaces for all your spokes and the internet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card