cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
0
Helpful
6
Replies

Expanding DMZ (ASA)

david-swope
Level 1
Level 1

I am looking to expand my current DMZ which really hasn't been leveraged for much but I plan to reconfigure it and leverage it across three sites. I am wondering what is the best was to approach what I am looking to do?

Some site details

1. Three sites

2. ASA centralized at Main site

3. MPLS network, all Internet traffic flows through Main

4. Each site should have it's own /24 for DMZ network

5. Each site has a L3 switch and MS DHCP server

ASA Version 8.2(5)

I am looking for the best practice approach to this, I have some ideas but am not quite sure

See attached drawing for reference

DMZ.JPG

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Are you looking to have the remote site DMZs behind the ASA DMZ interface?

Would you in other words separating the REMOTE sites LAN and DMZ networks from eachother so that they would have to connect through the MAIN site ASA to access?

Or are you going for a setup where each REMOTE site LAN and DMZ connect between eachother directly?

Do you control the MPLS router at the MAIN Site or is it an ISP device?

- Jouni

It is a managed MPLS, so I don't directly administer the MPLS. I was thinking I can leverage VRF's for the 172.16.x.x traffic across the WAN, then as it comes across the VRF's to the Main MPLS router, route it there to the DMZ interface so yes with this in mind this traffic would be completely segmented from each LAN

This will be my quote on quote "Guest" network. I will later install a few switches in some random IDF's for equipment that I need to present to the Internet. I can take care fo those via L2/L3 VLANs at each site..for me it's just a matter of configuring this on the ASA.

As it is now, you see that Ethernet3 is the DMZ interface, I am ware of creating subinterfaces and or even VLANs on the ASA but i'm a bit foggy on security best practices and how to go about acheiving this.

Hi,

I guess there is also the question if the 3 DMZ locations have to be separate from eachother?

It seems to me the current LAN networks are communicating with eachother behind the ASA "inside" interface and in that sense the ASA doesnt control traffic between them.

Would all the 3 DMZs also be contained in the same routing table (single VRF) or would each be in their own VRF at the main site and configured on the ASA as their own subinterface? I guess this comes down to do we need to limit the connectivity between the DMZ networks.

I personally prefer the situation where the ASA is the central point through which every network communicates with eachother. This gives greated visibility to what is actually happening in the network and you can control the network better. But to be honest considering the original ASA5500 series you will quite easily run out of perfomance if each network is behind its own subinterface, depending on how much traffic is between the networks.

I guess in this case though the traffic between DMZ and LAN isnt considerable and the LAN networks even at the moment dont stress the ASA other than with outbound traffic?

So I am wondering if these 2 could be any kind of options

Option 1

  • DMZ and LAN networks separate by VRFs at the REMOTE sites
  • All 3 DMZs in a single VRF at the main site where a link to the ASA DMZ interface exists
  • All LAN <-> DMZ traffic goes through the ASA
  • MAIN site DMZ switch would be attached to the Cores at MAIN site and attached to the same VRF/Routing table as the REMOTE site DMZs

Option 2

  • DMZ and LAN networks separate by VRFs at the REMOTE sites
  • All 3 DMZs in their own VRFs at the main site with their own links/subinterfaces to the ASA
  • All LAN <-> DMZ traffic goes through the ASA
  • MAIN site DMZ switch would be attached to the Cores at MAIN site and attached to its own VRF again connected by a subinterface to the ASA

- Jouni

Jouni,

  It is also important to note this is an Active/Active environment (dual 5510's).

As far as which option is best, I definitely want visibility into the three DMZ networks. As far as each DMZ network being able to communicate with each other, I would initially say no but i'm thinking it can't hurt. Afterall it certainly wouldn't expose my internal network to any issues.

Option 1 is more ideal IMO. Something like this perhaps

david-swope
Level 1
Level 1

Still looking for some insight into the best approach here.

Ok, I am looking at going in this direction, leverage my L3 switches instead of using subinterfaces on the ASA.

VRF's will be in place across the WAN (not shown). Each site will have a L3 SVI and DHCP scope handing out addresses for each network.

Routes in place on core switches and ASA as shown

Any thoughts on this would be appreciated

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: