Centralised Firewall

Answered Question
Jun 13th, 2009

Hi all,

I have a Cisco ASA firewall & Core Router (Cisco 3845)in Head office connected to multiple branch offices (Cisc0 1841) in Serial interface of Core Router.

I am facing the problem that the traffic between branch offices (Ex. Branch-1 and Branch-2) is directly happening without passing or checking the Firewall as Firewall is in the LAN interface of the Core Router

I want the Branch to Branch traffic also should pass through Firewall. How to achieve this?. What is the general practise.

Please check the attached Diagram for reference.

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 5 months ago

Hello R.B. Kumar,

one way to do this is to use VRF lite concept:

each branch router is placed in a different VRF that is a separated routing table with its own subset of interfaces and routing protocol instances (if needed).

the subset of interfaces should include:

the serial interface for the branch office x and a Vlan subinterface on the link towards the ASA.

In this way traffic from Branch X to Branch Y needs to go via the ASA.

Be aware that if they need also internet access it is still the ASA that needs to provide them a NAT pool to each Branch office.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
thotsaphon Sat, 06/13/2009 - 12:35

Kumar,

I used to think about this for my customer. It's not possible to do so. You may think about redirecting traffic to the firewall but it will not pass from zone to zone.

You may think about how to configure C3845 to do that. You may use IOS firewall on the router. In case you love configuring ACL. You can do it as well. I would go for IOS firewall though.

HTH,

Toshi

Correct Answer
Giuseppe Larosa Sat, 06/13/2009 - 12:36

Hello R.B. Kumar,

one way to do this is to use VRF lite concept:

each branch router is placed in a different VRF that is a separated routing table with its own subset of interfaces and routing protocol instances (if needed).

the subset of interfaces should include:

the serial interface for the branch office x and a Vlan subinterface on the link towards the ASA.

In this way traffic from Branch X to Branch Y needs to go via the ASA.

Be aware that if they need also internet access it is still the ASA that needs to provide them a NAT pool to each Branch office.

Hope to help

Giuseppe

thotsaphon Sat, 06/13/2009 - 12:42

Giuseppe,

That's a great great idea!!!(grin).

I have no doubt why I give you 5!

Kumar,

Now you can pass traffic from zone to zone via ASA.

VRF is pretty cool. Just use separate LAN interfaces or sub-interfaces to dictate between the network/VRF.

Toshi

Reza Sharifi Sat, 06/13/2009 - 14:01

Hi Giuseppe,

Are you recommending different contexts on the firewall too or just use the global routing table on the firewall to route between the 2 VRFs?

Thanks,

Reza

Giuseppe Larosa Sat, 06/13/2009 - 21:53

Hello Reza,

a single context can be enough for this application scenario.

In other cases where each VRF represents a different customers using multiple contexts on the ASA can be needed to keep them separated.

Hope to help

Giuseppe

Actions

This Discussion