Centralised Firewall

Answered Question
Jun 13th, 2009
User Badges:

Hi all,


I have a Cisco ASA firewall & Core Router (Cisco 3845)in Head office connected to multiple branch offices (Cisc0 1841) in Serial interface of Core Router.


I am facing the problem that the traffic between branch offices (Ex. Branch-1 and Branch-2) is directly happening without passing or checking the Firewall as Firewall is in the LAN interface of the Core Router


I want the Branch to Branch traffic also should pass through Firewall. How to achieve this?. What is the general practise.


Please check the attached Diagram for reference.



Correct Answer by Giuseppe Larosa about 8 years 1 week ago

Hello R.B. Kumar,

one way to do this is to use VRF lite concept:

each branch router is placed in a different VRF that is a separated routing table with its own subset of interfaces and routing protocol instances (if needed).


the subset of interfaces should include:

the serial interface for the branch office x and a Vlan subinterface on the link towards the ASA.

In this way traffic from Branch X to Branch Y needs to go via the ASA.


Be aware that if they need also internet access it is still the ASA that needs to provide them a NAT pool to each Branch office.


Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
thotsaphon Sat, 06/13/2009 - 12:35
User Badges:
  • Gold, 750 points or more

Kumar,

I used to think about this for my customer. It's not possible to do so. You may think about redirecting traffic to the firewall but it will not pass from zone to zone.

You may think about how to configure C3845 to do that. You may use IOS firewall on the router. In case you love configuring ACL. You can do it as well. I would go for IOS firewall though.


HTH,

Toshi

Correct Answer
Giuseppe Larosa Sat, 06/13/2009 - 12:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello R.B. Kumar,

one way to do this is to use VRF lite concept:

each branch router is placed in a different VRF that is a separated routing table with its own subset of interfaces and routing protocol instances (if needed).


the subset of interfaces should include:

the serial interface for the branch office x and a Vlan subinterface on the link towards the ASA.

In this way traffic from Branch X to Branch Y needs to go via the ASA.


Be aware that if they need also internet access it is still the ASA that needs to provide them a NAT pool to each Branch office.


Hope to help

Giuseppe


thotsaphon Sat, 06/13/2009 - 12:42
User Badges:
  • Gold, 750 points or more

Giuseppe,

That's a great great idea!!!(grin).

I have no doubt why I give you 5!


Kumar,

Now you can pass traffic from zone to zone via ASA.

VRF is pretty cool. Just use separate LAN interfaces or sub-interfaces to dictate between the network/VRF.


Toshi




Reza Sharifi Sat, 06/13/2009 - 14:01
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi Giuseppe,


Are you recommending different contexts on the firewall too or just use the global routing table on the firewall to route between the 2 VRFs?


Thanks,

Reza


Giuseppe Larosa Sat, 06/13/2009 - 21:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Reza,

a single context can be enough for this application scenario.


In other cases where each VRF represents a different customers using multiple contexts on the ASA can be needed to keep them separated.


Hope to help

Giuseppe


Actions

This Discussion