will appreciate if anyone can please suggest
we have 2 ASA 5520 with SSM modules in. behind ASA there is a CSS load balancer. this load balancer have ssl module and ssl certificate installed. since the communication from the internet to loadbalancer VIP is SSL , the SSM module configured to monitor the communication is limited since everythng is encrypted.
the communication between LB and server farm is not encryted but there is no IPS inbetween. can you suggest if someone has used the below design
int 1(public) ----ASA1----- LB 1 (dmz interface) -------- inside interface of ASA1 ( inside) where all web server resides
hence the traffic comes on port 443 for the VIP address. A static on ASA 1forwards the traffic to its dmz interface where LB 1 resides, then traffic from LB 1 unencrypted goes to the inside interface where all web serverfarm resides. by doing so we can configure SSM module to monitor the traffic from LB to webserverfarm since its between the 2 interfaces of ASA. and also we can have access -list on ASA allowing the traffic only between LB and webservers
will this be a concern on ASA performance?
is this a recommended design
Yes, I see your point.
I feel sorry for the physical interface that it will see traffic twice on its subinterfaces, but I believe this is a valid scenario given you restrictions.
This is a valid design and it should work.
The ASA will be seeing the traffic twice and the interface that is in fron of the LB will see the incoming traffic from the LB twice so I am not sure it is efficient. Please check how much traffic the interfaces will be seeing to see if the ASAs can handle it.
Since the LB will be the one actually pulling pages and talking to your servers why don't you have him go through the ASA but the outside users not going through it when talking to the LB?
If you are worried for DOS against the LB and you don't have another firewall to use then I guess it is valid design.
I hope it helps.