Cisco ASA IPS behind ASA CSC-SSM

Unanswered Question
Aug 23rd, 2008
User Badges:

Greetings!


The requirement is to design a two layered defense architecture.


The first logical layer shall include

a) Cisco ASA with CSC-SSM first and then

b) Cisco ASA with AIP-SSM

(No server farms placed between CSC-SSM and AIP-SSM)


The second layer shall include

a) FWSM in CAT6500


My query is that since all the necessary access-lists/NAT will be configured within Cisco ASA CSC-SSM (internet edge), should the access-list in the ASA AIP-SSM be 'permit ip any any' and then divert all traffic to AIP-SSM. Or should there be any additional firewall configuration in ASA with AIP-SSM.


Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Marwan ALshawi Sat, 08/23/2008 - 02:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

based on this three layres firewalls


i would sejuset u to do the following


ASA-csc url filtering Packet filtering which mean ACLs permit and deny based on L3 IPs and L4 ports and NATing as required


and try as much as possible to reduce number of nating application in ur layred topology i mean if u do nating in each firewall it gonna be a complex topology and hard to make any troubleshooting in the future


after u have done packet and url filtering


now go to the second security layer

which is the ASA-AIP

in this one inspect the prmited trafic from the edge firewall ASA-csc and do what ever inline inspection through this firewall and AIP module


filally on the FWSM do more specific filitering and NATing if required basd on ur servers


keep in mind than with FWSM all traffic is denied by defaul even from higher level to lower level interfaces not like ASA so u need for example a permit statment with ACl be applied on the inside interface to allow traffic to flow through the firewall and so on


good luck with ur defence indepth topology:)


please, if helpful Rate

Actions

This Discussion