02-07-2019 04:20 PM - edited 03-08-2019 05:34 PM
We are gearing up the whole SDWAN thing and I am being told the dual DIA circuits need to terminate at the sdwan edge device, but I need to keep my firewalls behind this device for compliance reasons. Well I have always done the NAT at the ASA, so how does this change things? Will my public IPs be on my ASA anymore? Do you just run a /29 or /28 between the edge sdwan device and ASA and nat again at the ASA? This driving me nuts! Last implementation of sdwan I did we pulled the remote branches into the DC on a head in unit that had a different isp. We backhauled all sites to dc then out to the internet so my internet edge was still traditional when it comes to nat on firewalls. This place wants to make sdwan devices the edge routers and firewalls in one but I can’t do that for compliance so how does this design work?
02-08-2019 08:31 AM
What "compliance" requirement doesn't the vedge (I assume you're talking about Viptela) satisfy but the ASA does ?
02-08-2019 10:34 AM
02-08-2019 12:52 PM
The vedge can definitely do segmentation and even IPS/IDS in the latest version. We use vedges at the network edge in retail locations and they are PCIDSS compliant.
02-09-2019 11:49 AM
02-09-2019 11:03 AM
Hi Steven,
You can definitely place vedge behind the firewall with public IPs on the firewall and nat in place so that vedges take public ip to reach other vedges and controllers.
Just make sure you have all the required firewall ports opened to establish control and data tunnels.
I have been in a similar situation as you and deployed it the same way... That's how it has to be done.
Let me know if that helps and also if you have any specific queries then please shoot...
Regards,
Jayesh
***Rate all posts that are helpful. Mark it as a solution if that answers your query, it might help other users who are having the same query***
02-09-2019 11:51 AM
02-09-2019 12:37 PM
Its a brownfield, so link is terminated on existing wan router which is connected to the firewall via outside leg and inside leg is connected to location core switch(trunk).
We brought vedge inline via L2 link(using the same trunk) from core switch connecting Vedge to the firewall. So on vedges we have the private IP and nat is done on firewall.
Hope that is clear, do u see any challenge in your topology?
Regards,
Jayesh
02-09-2019 01:05 PM
02-09-2019 01:55 PM
All those features are part of overlay. Stuffs i mentioned in previous post were part of underlay.
02-09-2019 01:59 PM
Right but if your vedge is southbound of the firewalls you will not terminate the DIAs into the vedge, you will basically terminate the two DIAs probably into a internet switch pair, then down to the firewalls, then to the vedge. I mean you said vedge is layer 2 so does it just act like a passthrough device at that point?
02-09-2019 03:05 PM
Well.. when i wrote L2 i actually meant core switch to be L2 providing access between vedge and firewall on /30 or /29 subnet.. like point to point. This setup was particular to the environment so that existing devices and new vedges could coexist.
Vedge doesn't require DIAs to be terminated directly on it, rather it just needs the path to form tunnel with other vedges. So even if we have private IPs on our vedges and we do nat on firewall, vedge would establish ipsec tunnel with other vedges till we have internet path through firewall. And firewall essentially would b part of underlay for this sdwan path(ipsec tunnel/overlay).
P.S.: Replying from my mobile device so keeping it short.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide