WAN Design Support

Unanswered Question
Nov 12th, 2009


We are refreshing our network design with keen eye on security. plz advice if all WAN links, VPN,PROXY should be terminated on DMZ to protect.We got ASA 5540 with default ports. Today each service is running on different box and hits core directly.

WAN Router connected to CoreSwitch

ASA firewall connected to CoreSwitch

Wireless LANController Connected to coreSwitch

VPN Router Connected to CoreSwitch

WAN, VPN, Wireless,Proxy Traffic dont pass the firewall

Web Publishing services,SSL VPN passes the firewal

any suggestion and cisco documentation refrence

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jon Marshall Thu, 11/12/2009 - 14:19


Here's a link to the security design docs/guides from Cisco -


In answer to your questions -

WAN - doesn't need to go through firewall as long as your WAN is trusted ie. all the remote sites

VPN - should be firewalled

Wireless - again if possible should be firewalled

Proxy traffic - not sure which direction you mean but should really be firewalled in either direction.



This Discussion