cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3380
Views
0
Helpful
29
Replies

FW-Configuration

Goutam Biswas
Level 1
Level 1

Hi,

Need help on configuration part of the attached FW-Design.  or anyone can suggest what would be best security design in terms of DC network.

29 Replies 29

Hi,

You are right.

Can you help me to prepare sample configuration for this scenerio if you have time. 

Note: There are two CE RTW. 

I am sorry, but I am strapped for time at the moment.  I can help you with bits and pieces of the configuration, but providing a full sample will be too time consuming.

If you post your configurations, or have questions about specific portions I can help you out.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

I am ok, take your time. in the mean time I will prepare a sample config for your review.

Hi Could you please check the interface configuration, first I am trying to complete interface configuration then will go for rest.

How many VLANs will you have on the N5K switches?  If you have more than 1 VLAN on them you will need to trunk the link to the ASA, meaning you will need subinterfaces on the ASA for the ports that go to the N5K switches.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

There are lot of vlans in n5k.  I like to configure default route to fw primary address from n5k instead of vlan configured on FW, will it work ?

exam.: inside vlan will configure between fw and n5k or port-channel between fw and n5k

same for outside also.  is it feasible?

this will not work.  Each VLAN will have its own subnet and therefore will require a default gateway within that subnet or (in certain configurations) require a route to the default gateway IP.  In your setup you will need to use sub-interfaces on the ASA, each sub-interface will have an IP within the subnet of a specific VLAN and that IP will be the default gateway for clients on that VLAN.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

If i configure all vlans sub-interface in FW, it would be huge processing on FW, then what is use of nexus(it has high throughput and backplane capacity).

My points are

> all vlan svi will configure on n5k as hsrp so all servers will point to n5k hsrp virtual ip address.

> internal traffic will be routed within n5k

> only external traffic will go to fw.

> for external route i will put a default route on n5k towards fw ip address.

If you do not require any traffic filtering / security between you LAN subnets then there is no problems doing that.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

I do not require filtering within LAN.  to/from external i need FW.

I think now its possible.  if you have time pls. check my interface config...and if possible pls. update and let me know.

You are missing the redundant links to the N5K and the L2 switches (these would need to be in a portchannel).  Also, you would need the following command to allow traffic between the MPLS interface and N5K since they have the same  security level:

same-security-traffic permit inter-interface

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

Can you add redundant link configuration on FW to n5k and the L2 switches.

I am not sure what would be the exact port configuration between FW and n5k and between FW and L2 Switches.

Please add in my config_notepad

You would need to configure the ASA and the N5K as portchannels.

ASA

interface gig0/1

no shut

channel-group 1

int gig0/2

no shut

channel-group 1

int po1.10

vlan 10

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0

int po1.20

vlan 20

security-level 90

nameif inside2

ip add 20.20.20.1 255.255.255.0

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi,

This configuration shows, vlans are created on FW, (client's default gateway is FW) but i wanted to configure vlan on n5k (Client's default Gateway would be n5k and nk5 will forward traffic to FW based on the inspection required or not( suppose some vlan doesn't required to go via fw and some are required)

Thanks...a lot for helping.  If you give FW to L2 configuration also..

Then just remove the subinterfaces.

int g0/1

no shut

channel-group 1

int g0/2

no shut

channel-group 1

int po 1

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0

(Client's default Gateway would be n5k and nk5 will forward traffic to FW based on the inspection required or not( suppose some vlan doesn't required to go via fw and some are required)

This is why I have suggested using VRFs several times.  But this is your choice.  I feel VRFs would be easier to use with regards to traffic seperation (that is a personal preference.)

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card