I am looking for some suggestions please. Attached is a basic design for a network with a Router, Transparent Firewall and Layer 2 switch. The mandate is the push some traffic through the Firewall which is limited to 250Mbps throughput and other traffic we trust to bypass this path and go direct to the router/internet at 1Gpbs (Backups for example). The desire of using a Transparent firewall is purely for simplicity as the 4321 Router is running ZBF and doing NAT to the internet so we really only need the ASA doing IPS on the traffic and don't want to use NAT, Routing or ACL's on it if we don't have too. I'd reluctantly be ok with using the ASA in routed mode if recommendations suggest this is the best option.
The problem I'm having is how to force the relevant traffic via the transparent ASA path since we have a layer 2 switch and cannot have 2 same subnet IP's on the 4321 on separate interfaces - even if we could there would be an issue of async routing as we want traffic going out to take the same path back and visa versa. I looked at VRF's but that adds extra complexity that I'm trying to avoid but I'm open to input there as I'm not fully up to speed with my knowledge of VRF.
Now... Obviously I could place the ASA in routed mode and use PBR on the 4321 to send traffic where it needs to go and if that's the best option, so be it. But I would like to avoid anything I don't need on the ASA such as NAT. Without NAT on the ASA in routed mode I think I would still have the issue of async routing though even if the outside interface was a different subnet .e.g inside=192.168.1.250, outside=172.27.1.250 and have an interface on the 4321 with 172.27.1.254 sending this to the internet. If I understand correctly the return traffic would have the the destination in the 192.168.1.0/24 subnet and bypass the ASA coming back in?
I'd appreciate some input from experts on how they would implement this.
Edit: In case anyone wonders why I don't use the IPS container on the 4000 series router. We have a boost license which prevents this.
Hello!I'm looking for a way to make my EEM script more dynamic and automated for my environment. This is what I have - basically I just capture the 4 IPSec peer IP addresses of each neighbor and insert this data into 4 different variables. ...
Hi all,I have a couple of Nexus9k switches. I need to get tcpdump from the physical interface which connected to the server. I'm looking for a specific protocol on tcpdump so that which feature should I use? I asked that because I couldn't full...
We are building out our first few AAR polices and are running into an error message.Built Global Policy with SLA class and traffic rules for voice traffic, attached to to the sites and VPN we needed, no issue. Building a second policy for management ...
Cisco Champion Radio · S7|E45 Network Insights with AI Endpoint Analytics
Identifying who and what is on the network is a challenge for many organizations. Incomplete visibility makes it difficult to implement advanced security policies and recommendatio...