Solved: Segregating multiple customers behind ASA

network_user · ‎08-06-2012

Hello,

I am looking for good design options to segregate different customer traffic behind asa firewall. Lets say I have multiple routers from different customers connected behind my asa firewall. One way is to just asign a dmz to customers and nat their private ip to public on asa. But that does not provide segregation of one customer traffic from another. So what are other ways I can attain that? Do I create one dmz for each customer on as and assign them a ip subnet on that dmz? But that does not seem very scalable solution... or should I create SVI's on my L3 switch behind the asa and asssign them different vlans... what would be the ideal design??

Thank you.

randerson · ‎08-06-2012

Sorry .. IMO = In my opinion

*If you need to separate traffic into different broadcast domains, use VLANs and/or physical interfaces with NATing - you'll need to ACL between the individual interfaces OR just do not provide NATing or Statics to allow traffic to flow between the customer interfaces. By default, ASA interfaces allow for communication between interfaces (through security level) but once you add an ACL, all interfaces must get an ACL to allow traffic to flow. In addition, you need to NAT (or use a static) to allow traffic between interfaces.

*If you need to guarantee that you have independent routing tables - use VRFs (not sure if the ASAs support this)

*If you need to completely separate all traffic (as above) AND have independent FW settings for each customers - use Contexts (link above). A context per customer makes it look like each customer has it's own firewall and allows you to configure different settings per context - the downside is that some things are not allowed, such as VPNs and dynamic protocols.

View solution in original post

robert.horrigan · ‎08-06-2012

You'd need a different DMZ for every customer to segregate their traffic assuming they have a firewall requiremtn....If that's not scalable enough for you then you could look into vshield or vsg.

randerson · ‎08-06-2012

Depending upon the capabilities of your firewall there are a lot of different ways to do this. You can put the customers each on separate VLANs, you can create multiple VRFs (not sure if the ASA supports this) or you can create multiple contexts on the ASA. I believe an interface has to be dedicated to only one context but I may be wrong. The purpose of a context is to create a completely isolated environment for just such an occasion. If you only need to separate traffic the easiest way is by VLAN IMO - if you need to be able to meet specific audit guidelines then you'd need to use a separate routing domain (VRF) or ASA context.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html

network_user · ‎08-06-2012

Hello Ross,

What do you mean by VLAN IMO?

randerson · ‎08-06-2012

Sorry .. IMO = In my opinion

*If you need to separate traffic into different broadcast domains, use VLANs and/or physical interfaces with NATing - you'll need to ACL between the individual interfaces OR just do not provide NATing or Statics to allow traffic to flow between the customer interfaces. By default, ASA interfaces allow for communication between interfaces (through security level) but once you add an ACL, all interfaces must get an ACL to allow traffic to flow. In addition, you need to NAT (or use a static) to allow traffic between interfaces.

*If you need to guarantee that you have independent routing tables - use VRFs (not sure if the ASAs support this)

*If you need to completely separate all traffic (as above) AND have independent FW settings for each customers - use Contexts (link above). A context per customer makes it look like each customer has it's own firewall and allows you to configure different settings per context - the downside is that some things are not allowed, such as VPNs and dynamic protocols.