I am looking to expand my current DMZ which really hasn't been leveraged for much but I plan to reconfigure it and leverage it across three sites. I am wondering what is the best was to approach what I am looking to do?
Some site details
1. Three sites
2. ASA centralized at Main site
3. MPLS network, all Internet traffic flows through Main
4. Each site should have it's own /24 for DMZ network
5. Each site has a L3 switch and MS DHCP server
ASA Version 8.2(5)
I am looking for the best practice approach to this, I have some ideas but am not quite sure
See attached drawing for reference
Are you looking to have the remote site DMZs behind the ASA DMZ interface?
Would you in other words separating the REMOTE sites LAN and DMZ networks from eachother so that they would have to connect through the MAIN site ASA to access?
Or are you going for a setup where each REMOTE site LAN and DMZ connect between eachother directly?
Do you control the MPLS router at the MAIN Site or is it an ISP device?
It is a managed MPLS, so I don't directly administer the MPLS. I was thinking I can leverage VRF's for the 172.16.x.x traffic across the WAN, then as it comes across the VRF's to the Main MPLS router, route it there to the DMZ interface so yes with this in mind this traffic would be completely segmented from each LAN
This will be my quote on quote "Guest" network. I will later install a few switches in some random IDF's for equipment that I need to present to the Internet. I can take care fo those via L2/L3 VLANs at each site..for me it's just a matter of configuring this on the ASA.
As it is now, you see that Ethernet3 is the DMZ interface, I am ware of creating subinterfaces and or even VLANs on the ASA but i'm a bit foggy on security best practices and how to go about acheiving this.
I guess there is also the question if the 3 DMZ locations have to be separate from eachother?
It seems to me the current LAN networks are communicating with eachother behind the ASA "inside" interface and in that sense the ASA doesnt control traffic between them.
Would all the 3 DMZs also be contained in the same routing table (single VRF) or would each be in their own VRF at the main site and configured on the ASA as their own subinterface? I guess this comes down to do we need to limit the connectivity between the DMZ networks.
I personally prefer the situation where the ASA is the central point through which every network communicates with eachother. This gives greated visibility to what is actually happening in the network and you can control the network better. But to be honest considering the original ASA5500 series you will quite easily run out of perfomance if each network is behind its own subinterface, depending on how much traffic is between the networks.
I guess in this case though the traffic between DMZ and LAN isnt considerable and the LAN networks even at the moment dont stress the ASA other than with outbound traffic?
So I am wondering if these 2 could be any kind of options
It is also important to note this is an Active/Active environment (dual 5510's).
As far as which option is best, I definitely want visibility into the three DMZ networks. As far as each DMZ network being able to communicate with each other, I would initially say no but i'm thinking it can't hurt. Afterall it certainly wouldn't expose my internal network to any issues.
Option 1 is more ideal IMO. Something like this perhaps
Ok, I am looking at going in this direction, leverage my L3 switches instead of using subinterfaces on the ASA.
VRF's will be in place across the WAN (not shown). Each site will have a L3 SVI and DHCP scope handing out addresses for each network.
Routes in place on core switches and ASA as shown
Any thoughts on this would be appreciated