two tiered, dual firewall design... inline or not?

royalle01 · ‎01-07-2011

I am rolling out a two tiered firewall design, the diagrams attached should be self explanatory. I am in a disagreement with a co-worker regarding today's best practice for this scenario. I know we've all been raised to believe mesh topology is the most redundant and resilient design, but IMO with the way ASAs handle failover the inline scenario provides the most security along with the simpler design to support and troubleshoot.

I am still collecting documents for pros/cons of each... I would love to hear comments and or get some links that discuss this. Please let me know if anyone has any questions...

A couple of things to note:

-routed border ASAs will have a static default route to an HSRP address on the external routers, and will be performing NAT.

-DMZ switch will terminate all inside/corporate VRFs

-lan/state failover will use redundant interfaces with the primary interface for each ASA pair going through the switch on their internal interface and the secondary going through a switch on their outside interface

Thanks in advance...

Jennifer Halim · ‎01-07-2011

Actually the in-line design is not supported in the ASA. You can have a fully mesh topology for all your other devices but the ASA.

ASA running in failover mode will only have 1 ASA Active at any given time, and if traffic is being routed towards the Standby, it will just drop the packets (it will not be forwarded to the Active ASA). There is also just 1 (active) ip address for ASA in failover mode, and the ip address will follow whichever is the active unit, and the standby ip address is purely for management purposes.