cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1193
Views
0
Helpful
4
Replies

ASA Security Service module Deployment in Cat 6500

sameermunj
Level 1
Level 1
  1. I am installing ASA Security Service module in Catalyst 6500-VSS (cluster-A) and communication between Switch and Security Service module is working fine.
    2. We have user connected to Different Catalyst 6500-VSS (cluster-B) and default gateway of the users is configured on layer 3 interface on Cluster-B VSS
    3. We have Servers connected to Different Catalyst 6500-VSS (cluster-C) and default gateway of the Servers is configured on layer 3 interface on Cluster-C VSS
    4. Cluster-B VSS & Cluster-C VSS and connected to Cluster-A VSS with Routed link-L3 interface
    5. This ASA Security module will be used to restrict communication between user accessing server
    We have tested this deployment in transparent mode and same is not working ..need your help in configuring the security module in layer 3 mode to achieve this requirement.
    Looking forward for your earliest response.
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

You've tested in transparent mode and it failed. Now you want to configure it on layer 3 (routed)?

 

How the routing is done? Dynamic routing or static routing?

 

You need to break that routing to force the traffic coming from cluster B to cluster C to passthrough asa sm.

You've different choices but 1 i would suggest is to split routing domain. Let's  say the L3 subnet between cluster A and cluster B is in global routing with a default route (or any dynamic routing protocol) goes to asa sm to reach cluster C. Then between asa sm and L3 connection cluster C, you can have them in a vrf with also a default route going to asa sm to reach cluster B. Using vrf it will avoid direct routing between those clusters. 

On cluster A itself, if vlans are in global, they will be able to talk each other and going to asa to reach cluster C or other vlans in cluster A within the vrf.

 

Is that clear?

 

If you share a quick drawing with interfaces connecting each cluster and the config of cluster A, i can help you building the config


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for the reply Franscesco.

 

The exisitng setup has acces-list on Cluster B Cat6500 VSS limiting the cluster C  to accessing Cluster A.

The requirement is to place the ASASM in cluster B VSS and migrate the access list to ASA from the 6500 chassis.For this we thought of Transparent Mode, but  as per current  design  it doesn't seems to work out, so looking for routing mode.

All the three cluster are connected by Layer 3 routed ports and using OSPF as the dynamic routing protocols between them.

There are also Layer 3 MFSC vlan on the Host ASA chassis(ClusterB).

 

I have attache the block diagram for your reference

 

Hope you understood the setup and requirement.

In your design, the vrf solution will work, however (I don't know your config) but you can also bring this interconnection subnets into ASA-SM and build the ospf peering.

For everything hosted in your cluster B, you'll need to build also an ospf adjacancy between global routing and ASA.

 

Is that clear? 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello Fansceco;

 

Thankyou for your quick responses and Analysis.

 

To have some more insight on the setup and requirement, I have attached the detail setup topology.

Considering the setup in topology  i have few queries.

#  Is it feasible to place the Firewall module in transparent Mode.if yes how i can configure the ASASM  to achieve this. I tried but unable to do so.

Here Cluster A and Cluster C users will be accessing Cluster D via ASASM in cluster B.

Cluster A,C,D have no extended Vlan across them  and are three separate Layer 3 entities connected via Cluster B using  Routed ports  and  OSPF as the routing protocol.

 

# If no transparent mode, then in routed mode How i can make sure that the hosted ASASM switch Chasis does not by pass the ASASM module while routing using OSPF.

 

Can you please share a sample config considering this requirement, or if you can suggest  configuration for this topology would be great

 

Thanks in advance