Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
1
Replies

Transparent (or routed) Firewall Network Design Recommendations

jelloir
Level 1
Level 1

‎02-11-2020 07:50 PM - edited ‎02-11-2020 07:56 PM

I am looking for some suggestions please.  Attached is a basic design for a network with a Router, Transparent Firewall and Layer 2 switch.  The mandate is the push some traffic through the Firewall which is limited to 250Mbps throughput and other traffic we trust to bypass this path and go direct to the router/internet at 1Gpbs (Backups for example).  The desire of using a Transparent firewall is purely for simplicity as the 4321 Router is running ZBF and doing NAT to the internet so we really only need the ASA doing IPS on the traffic and don't want to use NAT, Routing or ACL's on it if we don't have too.  I'd reluctantly be ok with using the ASA in routed mode if recommendations suggest this is the best option.

 

The problem I'm having is how to force the relevant traffic via the transparent ASA path since we have a layer 2 switch and cannot have 2 same subnet IP's on the 4321 on separate interfaces - even if we could there would be an issue of async routing as we want traffic going out to take the same path back and visa versa.  I looked at VRF's but that adds extra complexity that I'm trying to avoid but I'm open to input there as I'm not fully up to speed with my knowledge of VRF.

Now... Obviously I could place the ASA in routed mode and use PBR on the 4321 to send traffic where it needs to go and if that's the best option, so be it.  But I would like to avoid anything I don't need on the ASA such as NAT.  Without NAT on the ASA in routed mode I think I would still have the issue of async routing though even if the outside interface was a different subnet .e.g  inside=192.168.1.250, outside=172.27.1.250 and have an interface on the 4321 with 172.27.1.254 sending this to the internet.  If I understand correctly the return traffic would have the the destination in the 192.168.1.0/24 subnet and bypass the ASA coming back in?

I'd appreciate some input from experts on how they would implement this.

 

Edit:  In case anyone wonders why I don't use the IPS container on the 4000 series router.  We have a boost license which prevents this.

 

Preview file
48 KB
0 Helpful
1 Reply 1

paul driver
VIP
VIP

‎02-12-2020 05:57 AM - edited ‎02-12-2020 06:10 AM

Hello
You could possibly apply a L2 port mac access-lists on the L2 switch on the two uplinks between the fw and the rtr to deny certain traffic being switched via either of the two uplinks.


Example
mac access-list extended pacl
deny host xxxx.xxx.xxxx any
etc...
permit any any

or
mac access-list extended pacl
permit host xxxx.xxx.xxxx any
etc...

in x/x
mac access-group pacl in 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card