Solved: Internal Firepower configuration with VLANs?

bkyuksel · ‎04-15-2023

Hello Dear Colleagues,

I am really stuck with an issue.

I have 4 VLANs and all working fine, imagine that there are Office, Business, Server, Other vlans and "ip routing" is enabled on L3 SW. On this topology VLANs are created on L3 Cisco switch and everything is connected to this core switch. Right now, I need to implement an internal Firepower 1010 to Business VLAN to prohibit some IP accesses to other VLANs. Of course I could do it with ACLs but it gets complicated and hard to manage after a while.

How and where should I implement this internal FTD on the topology? Also fyi I am using Fortigate as UTM to access internet.

I researched a lot but seems more complicated even I find some information everytime. I can use ROAS but I have to move all the vlans to FTD and all traffic will be diverted to FTD it is difficult and useless. All I need to implement an internal FW between Business and Office. May be I can use transparent mode but it requires FMC, I dont have FMC so i cant use it.

I need your step by step instructions please. thank you so much in advance.

Flavio Miranda · ‎04-15-2023

Dont sorry, that´s what we do here, we discuss technology.

It depends how traffic need to flow in your network. Physycally you need to have one cable or more it depends on how much data you need to cross the uplink and the interface you have. Lets say it is 1 Giga you may need more than one physical interface. But this is not a problem as long as you create a port-channel.

And then yes, you can create subinterfaces just like a traditional ROAS. The vlans need to be create on the L3 switch for sure, otherwise Spanning-tree wont let it work. But you can create interface vlan on L3 switch or not as the routing will be done on the ASA. But if you eventually want to not send traffic to ASA for a specific Vlan you may end up create intervlan routing on the L3 switching. Or not send a specific traffic likne internet.

About ASA send traffic to external firewall or not, it depends also. If the ASA is going to be the gateway for end users, would be better if ASA send the traffic to external firewall instead send back to L3 switch otherwise, it would mean on more loop on the traffic before going out to the internet. It would be possible with a simple default route from ASA to L3 switch and then from L3 switch to External Firewall but I dont thing this is necessary if you have direct connectivity to external Firewall from ASA. If you dont, then send the traffic back and then to the internet would be a possibility.

But, lets say you are going to send to ASA only Internal traffic and Internet traffic to external Firewall, then you could use routing on the L3 switch like :

ip route "internal-network" to "internal-network" > ASA

ip route "internal-network" to "External-network" > External Firewall

On this case, the default gateway for end users needs to be the L3 switch and not the ASA.

View solution in original post

Flavio Miranda · ‎04-15-2023

Hi

I see no alternative but pass the traffic through the Firewall, which means extend your vlans to the firewall by using trunk between firewall and Layer3 switch, create Layer 3 on the firewall and use the firewall as the gateway to devices.

bkyuksel · ‎04-15-2023

thank you so much for your fast and kind reply. So if there is no other way than FW, do you suggest to implement ROAS? what would you do if you were in this situation? ( Acl, roas, fw routing every choices you can imagine)

MHM Cisco World · ‎04-15-2023

Config transit vlan between l3sw and fw'

This use only for connect l3sw to fw.

Then use static or dynamic routing between two fw and l3sw.

Here all 4 vlan will have svi gateway on l3sw and can access internet via fw.

bkyuksel · ‎04-15-2023

Hello, can you please explain in some more details if possible? thank you

MHM Cisco World · ‎04-15-2023

sorry I check you comment now, I see this issue solve, please confirm ?
thanks
MHM

bkyuksel · ‎04-15-2023

i will try Flavio's solution and i assume that it will work. thank you for your help.

MHM Cisco World · ‎04-15-2023

You are so so welcome

Flavio Miranda · ‎04-15-2023

ROAS endup being the simpler solution I think. ACL is not good cause it end up being complex if you need block too much things.

Let the firewall do what it does better and let switch L3 do what is does better. Create a trunk, extend the vlans, filter on the firewall and send back to your L3 switch.

Just mind the uplink capacity as the traffic will cross it twice. This scenario is used everywhere.

bkyuksel · ‎04-15-2023

Thank you Flavio. If I decide to implement ROAS on this topology, how should I connect the internal ASA physically? It will be connected to L3 switch with 1 cable with subinterfaces like g1/0/1.10, g1/0/1.20, g1/0/1.30. Will ASA have a direct connection to External Firewall? Or traffic will be diverted to L3 switch and L3 switch will send it to External FW? Also should I delete all the vlan interfaces on L3 sw and create them on ASA? Or any other method?

Sorry for this long questions, but I feel thankful to all your answers. Every answer is a perfect clue for me. THANK YOU!

Flavio Miranda · ‎04-15-2023

Dont sorry, that´s what we do here, we discuss technology.

It depends how traffic need to flow in your network. Physycally you need to have one cable or more it depends on how much data you need to cross the uplink and the interface you have. Lets say it is 1 Giga you may need more than one physical interface. But this is not a problem as long as you create a port-channel.

And then yes, you can create subinterfaces just like a traditional ROAS. The vlans need to be create on the L3 switch for sure, otherwise Spanning-tree wont let it work. But you can create interface vlan on L3 switch or not as the routing will be done on the ASA. But if you eventually want to not send traffic to ASA for a specific Vlan you may end up create intervlan routing on the L3 switching. Or not send a specific traffic likne internet.

About ASA send traffic to external firewall or not, it depends also. If the ASA is going to be the gateway for end users, would be better if ASA send the traffic to external firewall instead send back to L3 switch otherwise, it would mean on more loop on the traffic before going out to the internet. It would be possible with a simple default route from ASA to L3 switch and then from L3 switch to External Firewall but I dont thing this is necessary if you have direct connectivity to external Firewall from ASA. If you dont, then send the traffic back and then to the internet would be a possibility.

But, lets say you are going to send to ASA only Internal traffic and Internet traffic to external Firewall, then you could use routing on the L3 switch like :

ip route "internal-network" to "internal-network" > ASA

ip route "internal-network" to "External-network" > External Firewall

On this case, the default gateway for end users needs to be the L3 switch and not the ASA.

bkyuksel · ‎04-15-2023

thank you so much indeed. great explanation. i will definitely do the simulation by following your points. thank you! i will let you know and share it here with you if possible. thanks.