Simplify ACL lists and IPsec

Jon Are Endrerud · ‎10-04-2017

Hey

I have a large network with a ASA5555-X in middle and about 30-40 ASA's in branch offices.

Maintaing ACL lists on the branch office firewalls are a lot of work. Is it possible in any way to IPsec the wanted subnets and use the the main ACL list on one of the ASA5555X interfaces instead.

F.eks.

client --> IP --> ASA BRANCH--> IPSEC <--- ASA5555X ---> ACL ---> Servers

Thanx

Please rate as helpful, if that would be the case. Thanx

Seb Rupik · ‎10-04-2017

Hi there,

Of course you could do that, but it would be wasteful of bandwidth to send traffic accross the WAN only to be dropped at the main office. It is best practice to drop traffic as close to source as possible.

cheers,

Seb.

Kias · ‎10-05-2017

Hi,

Yes, you can classify branch office rules and global edge rules on the ASA5555.

The branch office rules will pertain to internet access and the ASA5555 ACL could be for the IPSec traffic originating from the branches.

Regards,

Kias

Kias
Fonicom Limited
raiseaticket Malta

Jon Are Endrerud · ‎10-16-2017

This sounds like a good idea. How do I make the IPsec traffic hit the global edge rules on the 5555X ?

For example I have:

branch subnett ---> 10.16.100.0/22

branch subnett ---> 172.16.124.0/24

branch subnett ---> 10.16.120.0/24

When they have a direct connection, I dont see how I can get everyhing to use one ACL list on the remote 5555X.

Thanx

Please rate as helpful, if that would be the case. Thanx

Kias · ‎10-16-2017

Hi,

I assume the following:

HQ --> 1.1.1.1/16

branch 1 subnett ---> 10.16.100.0/22

branch 2 subnett ---> 172.16.124.0/24

branch 3 subnett ---> 10.16.120.0/24

3 Site to site VPNs from HQ to branches will be established. In this scenario, traffic from branch 3 to branch 1 will be routed through HQ as the hop. At HQ the ACL is defined to control the branch 3 -> 1 via ACL. Also NoNat and hair pining are required for the VPN's which I beleive is one time config.

Regards,

Kias

Kias
Fonicom Limited
raiseaticket Malta