Firewall Integration

skrsubramaniyam_CTS · ‎05-11-2016

Hi,

I need some design assistance for data center firewall build, as customer has 4 firewalls as per below; for which i need to combine below in 2 ASA 5585-SSP-20 (1 pair for External, 1 pair for Internal) , so what are the things i need to consider for designing?

3 External facing FW's( Internet+Anyconnect+Site to Site VPN FW, Offload internet for remote sites FW, EDI FW)
1 Internal (PCI involved)

Thanks and Regards,

Sankar

Aditya Ganjoo · ‎05-11-2016

Hi,

It depends mostly on the amount of traffic you must be passing through the ASA's.

What is the load, what type of traffic is it ?

You can configure ASA clustering on the external FW's that would help you to load-balance the traffic.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html

Regards,

Aditya

Please rate helpful posts and mark correct answers.

skrsubramaniyam_CTS · ‎05-13-2016

Hi Aditya,

That was not answered my question, my intention not only for load-balancing, also i need to design the network based on compliance as well. as said above, in my new requirement i have 1 pair ASA available for external (Perimeter) traffic like Internet+Anyconnect+Site to Site VPN FW, Offload internet for remote sites, another 1 pair is available to accomodate internal traffic like PCI, EDI segments. Mainly most of the remote offices are connected thru DMVPN tunnel as secondary path for corporate internet.

Remote locations Types:

Type1 = Internet+MPLS

Type2 = Internet only

Type3 = MPLS only

In the above scenario, all corporate traffic should come thru MPLS and internet should come thru DMVPN, only in Type1 if MPLS is down corporate& internet traffic comes thru DMVPN tunnel. in this topology which is best way to place firewall to pass through the traffic?