Hi Jon,

Thanks for your reply.

But this is just the beginining as we are going to adhere to the HIPAA regulations going forward. So something like ASA would do the firewalling for these internal/dmz servers. I liked your second solution since in the future we will be making the 4510 as the dist switch and introduce nexus as the core switches. As this will make the firewall rules consistent at just one place and easy to manage with little bit of routing manipulation. It seems to me to stick to ASA as this solution is more scalable since we would be inspecting the traffic as per the requriements.

It's a more secure solution certainly but bear in mind throughput requirements as well ie. switches tend to be a lot better than firewalls.

If that is not an issue then yes it would consolidate all the access between firewalled vlans which would make it a single point of management.

In terms of how many vlans you need to firewall going forward whether or not it became a bottleneck is something to think about.

You could always have another set of firewalls internally for this if needed.

Jon

Thanks for your reply.

Yes that's right. I have decided to have internal set of firewall for vlans inside the organization for future design. This solution would also be scalable in terms of no. of vlans and would take care of firewalling east west traffic and would have High availabiltiy solution into it with having a pair of firewalls for failover.

Thanks once again for replying very quickly.

Hi Jon,

There seems to be a long gap since then we discussed on this one. I just want your guidance on this one. I have attached a diagram to simulate what we want to acheive. Pass all the traffic related to new app through the firewall and apply access-policies. Do we have to implement policy based routing on core switch based on the source IP to redirect traffic to ASA or set the default gateway on web, database and app VMs to point to ASA? Let me know if this is applicable to the solution i am working on.

Thanks in advance.

It depends what you need.

Do you want all traffic to and from all devices in vlans 101,105 and 110 to go via the firewall ?

And what about traffic between those vlans ie. from an app server to the database server. I assume you also want this to go via the firewall ?

So basically any traffic from any network has to go via the firewall to get to any of these vlans.

And any traffic between these vlans also has to go via the firewall.

Is that what you want ?

Jon

Thanks for your reply.

Yes you understood that correctly. we want web app and database tiers communicating through the firewall.

Can this be implemented in the existing network?

Yes, you would simply not use SVIs or PBR as there is no need because everything has to go via the firewalls.

Like I said originally I have never used HIPAA and so I don't know if they allow you to create DMZs (which is what you are effectively doing) on the same switch as your other internal vlans.

You could use a separate switch as you suggest for those vlans.

The switch would not have a connection to the 4500, only the ASA would.

That way you have complete separation between your DMZs and the internal switch.

Jon

Thanks for your reply. Yea I think I should go with adding 2960 to trunk to asa and acheive this more easily rather then doing policy  routing to redirect traffic to ASA.

You don't use PBR whichever solution you go with.

If you used the 4500 there are no SVIs for the vlans you are firewalling.

You do need routes whichever solution you go with.

So you can either use static routes and the 4500 needs a route for each firewalled vlan with the next hop IP of the firewalls inside interface or you can use a dynamic routing protocol..

Up to you.

Jon

So I don't need SVI for vlan 100 105 and 110 on core 4500 switch. But just create vlans for trunking and provide static/dynamic routes to ASA and from back ASA to core switch 4500 for return traffic. But still need to create subinterfaces on ASAs and provide IP address and VLAN on each subinterface for routing on a stick on ASA. The default gateways should point to ASA's subinterface on each VM.

Let me know if i am missing something here.

Yes, that's exactly what you do.

Although i suspect the route from the ASA to the core switch is already there unless this is a new firewall setup.

Like I say either will work and it really depends on the HIPAA guidelines more than the technical solution.

Jon

Thank you for your reply. Appreciate that.

Yes there are routes already in the ASA point to core switch since its not a new one.

Eventually we are designing the site as DR-Corporate site and will stick to the HiPPA guideline from the scratch. But for now this solution works as discussed.