cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1415
Views
0
Helpful
2
Replies

CoLocation Design

m.back@aap3.com
Level 1
Level 1

I am looking for advice on CoLo Design, we have a pair of IE switches which (in a logical T-shape) connect the diverse ISP circuits on one side, on the other a colo edge switch block, and then south bound a hosted environment which is protected by a pair of ASA's.

 

ISP 1 & 2 >>>>>>>>> IE Switch Block >>>>>>>>> CoLo Switch Block
                                                 |

                                                 |

                                          ASA Pair

                                                 |

                                                 |

                                   Hosted Switch Block

 

Originally the CoLo Switch block was design simply to provide outbound internet access and nothing more, as it was expected customers would provide their own firewalls and servers etc. The design is working as intended and there are no issues. However, we have had a request to provide VPN client access to a CoLo customer, initially I thought we could 'hairpin' the client VPN access into the ASA protecting the Hosted environment and then re-route back out of the outside to the CoLo Switch block. However, we've been advised that we may get other such requests for CoLo customers.

My question are:

Is it normal to provide CoLo customers with firewall services? I was under the impression our original design concept was sound.

If it is a one off request, can we simply 'hairpin' the VPN client connections via the existing ASA which is protecting the hosted environment?

If this is going to be something which we have to do a number of times, do we need to invest in a new firewall to place between the Internet Edge Switch and CoLo Switch Blocks? How might this affect other CoLo customers who just want outside access and nothing else, as they have their own firewalls?

If anyone can help answer my questions or share their experiences that would be much appreciated - thank you!

Cheers,


Matt :-)

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Hi Matt

Is it normal to provide CoLo customers with firewall services? I was under the impression our original design concept was sound.

It really depends on what the original agreement was in terms of security and services provided but if it was simply to provide connectivity to the internet then yes I would say your design is sound.

If it is a one off then yes you could terminate the VPN on your ASA and then hairpin the unencrypted traffic back out to the client although obviously that means the client traffic is going from your ASA to them unencrypted and there are other customers connected to that switch.

If it is going to be a more frequent occurrence then you could purchase an ASA for this but there are two main considerations -

1) the non technical consideration is if the customer doesn't already have a firewall you are in effect responsible for their security which you may well not want to be.

Currently I assume you just provide a connection to each customer and it is entirely up to them as to how they secure that connection. Your only responsibility is for the internet connection itself.

Providing a firewall to them would mean you are now involved with their security and you may very well not want to do that or at the very least if you do provide a firewall for VPN connections it is on the understanding that all unencrypted traffic is their responsibility and not yours.

2) It probably won't surprise you to hear me talk about the IP addressing :-)

Again it's key really in terms of how it would work.

It's not clear from the diagram how the public IP addressing works ie. does each customer get their own block and you route these on the IE switches ?

If so putting a firewall between the IE switches and the CoLo switches is going to break that addressing because you won't be able to have the same IP subnet on both sides.

And it would also mean multiple interfaces or subinterfaces on the firewalls inside interface ie. the one facing the customers because you need to keep the traffic separate.

Contexts can be useful here.

A better alternative may be to place the firewall out of the main traffic flow so any non VPN traffic flows normally without going through the firewall and you only send traffic to it for VPNs. That would also mean customers are still responsible for their own security.

But that depends again on the IP addressing. Having an new external IP routed to the ASA is fine but you also need to account for the inside interface of the ASA as well and again it depends on how it is currently setup.

Difficult to really comment without knowing more about how the IP addressing and routing currently works so any details would help.

Jon

Hi Jon!

Thanks so much for your great advice as usual, I need to discuss this internally with some colleagues and I will get back to you with a more detailed reply.


Cheers,


Matt :-)

 

Review Cisco Networking for a $25 gift card