Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4728
Views
5
Helpful
4
Replies

Internal Firewall Placement

umer zubairi
Level 1
Level 1

‎11-27-2017 06:11 AM - edited ‎02-21-2020 06:50 AM

Gents,

 

I've a scenario where:

 

1) All my servers are directly connected to the Core switch.

2) I have only one external firewall that's sitting between the Core and Border Gateway router connected to the internet.

 

Now client needs their servers to be protected from the internal threats as well.

 

Luckily, I managed to arrange another ASA that can be used as an internal firewall but don't know where it will sit as all my servers are directly connected to Core switch and we do not have a separate server farm node.

Below is the topology

FW.jpg

Please advise!

 

Kind Regards

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎11-27-2017 07:00 AM - edited ‎11-27-2017 07:02 AM

There are multiple options available here. one common scenario is to use the firewall on a stick:

Lets assume your users are on VLAN10, your servers are on VLAN20. On the core-switch you have two vlan-interfaces for VLAN10 and vlan20.

You connect the ASA with a port-channel to the core-switch. On that port-channel you configure a new subinterface for vlan30. This interface will become a transfer-network between the core and the ASA.

On the Core-switch you remove the VLAN-interface for VLAN20 and configure that also as a subinterface of the ASA. On the core you configure also VLAN30 and use the ASA-IP of VLAN30 as the next-hop for the server-VLANs. On the ASA you need a default-route pointing to the core-IP of VLAN30.

Optionally you could use the ASA in transparent mode which would remove the additional transfer-network. And if you want to firewall most to all traffic, then you could just move all VLAN-interfaces to the ASA and have only the ASA as L3-instance.

Have you also thought about that this internal firewall needs quite much throughput and also has to be redundant?

0 Helpful

umer zubairi
Level 1
Level 1
In response to Karsten Iwen

‎11-27-2017 07:57 AM - edited ‎11-27-2017 12:08 PM

Thanks Brother,

 

Considering the below (one of the options you discussed) whenever an operational staff member needs to access something from the business unit data resources, the traffic needs to hit the firewall and the connection needs to be approved there on ASA.

 

Is there anything wrong is this design, please let me know 

 

BTW I'm not configuring any VRFs here, just VLANs.

 

FW.jpg

Karsten Iwen
VIP
VIP
In response to umer zubairi

‎11-27-2017 12:54 PM

You would put the SVIs for the critical applications on the firewall to protect them. The uncritical applications can still be handled (with more throughput) on the core.

0 Helpful

umer zubairi
Level 1
Level 1
In response to Karsten Iwen

‎11-27-2017 12:58 PM

Thanks Bro, seems in this case I do not even need to create the sub-interface.

I mean I just need to configure the SVIs of critical app servers' vlans and rest all the gateways stay on the CORE.

Let me know if there's still need of sub-interfaces.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card