cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
242
Views
0
Helpful
1
Replies
Highlighted
Beginner

Transparent (or routed) Firewall Network Design Recommendations

I am looking for some suggestions please.  Attached is a basic design for a network with a Router, Transparent Firewall and Layer 2 switch.  The mandate is the push some traffic through the Firewall which is limited to 250Mbps throughput and other traffic we trust to bypass this path and go direct to the router/internet at 1Gpbs (Backups for example).  The desire of using a Transparent firewall is purely for simplicity as the 4321 Router is running ZBF and doing NAT to the internet so we really only need the ASA doing IPS on the traffic and don't want to use NAT, Routing or ACL's on it if we don't have too.  I'd reluctantly be ok with using the ASA in routed mode if recommendations suggest this is the best option.

 

The problem I'm having is how to force the relevant traffic via the transparent ASA path since we have a layer 2 switch and cannot have 2 same subnet IP's on the 4321 on separate interfaces - even if we could there would be an issue of async routing as we want traffic going out to take the same path back and visa versa.  I looked at VRF's but that adds extra complexity that I'm trying to avoid but I'm open to input there as I'm not fully up to speed with my knowledge of VRF.

Now... Obviously I could place the ASA in routed mode and use PBR on the 4321 to send traffic where it needs to go and if that's the best option, so be it.  But I would like to avoid anything I don't need on the ASA such as NAT.  Without NAT on the ASA in routed mode I think I would still have the issue of async routing though even if the outside interface was a different subnet .e.g  inside=192.168.1.250, outside=172.27.1.250 and have an interface on the 4321 with 172.27.1.254 sending this to the internet.  If I understand correctly the return traffic would have the the destination in the 192.168.1.0/24 subnet and bypass the ASA coming back in?

I'd appreciate some input from experts on how they would implement this.

 

Edit:  In case anyone wonders why I don't use the IPS container on the 4000 series router.  We have a boost license which prevents this.

 

1 REPLY 1
Highlighted
VIP Mentor

Hello
You could possibly apply a L2 port mac access-lists on the L2 switch on the two uplinks between the fw and the rtr to deny certain traffic being switched via either of the two uplinks.


Example
mac access-list extended pacl
deny host xxxx.xxx.xxxx any
etc...
permit any any

or
mac access-list extended pacl
permit host xxxx.xxx.xxxx any
etc...

in x/x
mac access-group pacl in 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future