ASA- AIP SSM design consideration

Answered Question
Jan 13th, 2010

Hello

will appreciate if anyone can please suggest

we have 2 ASA 5520 with SSM modules in. behind ASA there is a CSS load balancer. this load balancer have ssl module and ssl certificate installed. since the communication from the internet to loadbalancer VIP is SSL , the SSM module configured to monitor the communication is limited since everythng is encrypted.

the communication between LB and server farm is not encryted but there is no IPS inbetween. can you suggest if someone has used the below design

int 1(public) ----ASA1----- LB 1 (dmz interface) -------- inside interface of ASA1 ( inside) where all web server resides

hence the traffic comes on port 443 for the VIP address. A static on ASA 1forwards the traffic to its dmz interface where LB 1 resides, then traffic from LB 1 unencrypted goes to the inside interface where all web serverfarm resides. by doing so we can configure SSM module to monitor the traffic from LB to webserverfarm since its between the 2 interfaces of ASA. and also we can have access -list on ASA allowing the traffic only between LB and webservers

will this be a concern on ASA performance?

is this a recommended design

Thanks

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 10 months ago

Yes, I see your point.

I feel sorry for the physical interface that it will see traffic twice on its subinterfaces, but I believe this is a valid scenario given you restrictions.

PK

Correct Answer by Panos Kampanakis about 6 years 10 months ago

This is a valid design and it should work.

The ASA will be seeing the traffic twice and the interface that is in fron of the LB will see the incoming traffic from the LB twice so I am not sure it is efficient. Please check how much traffic the interfaces will be seeing to see if the ASAs can handle it.

Since the LB will be the one actually pulling pages and talking to your servers why don't you have him go through the ASA but the outside users not going through it when talking to the LB?

If you are worried for DOS against the LB and you don't have another firewall to use then I guess it is valid design.

I hope it helps.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Panos Kampanakis Wed, 01/13/2010 - 15:15

This is a valid design and it should work.

The ASA will be seeing the traffic twice and the interface that is in fron of the LB will see the incoming traffic from the LB twice so I am not sure it is efficient. Please check how much traffic the interfaces will be seeing to see if the ASAs can handle it.

Since the LB will be the one actually pulling pages and talking to your servers why don't you have him go through the ASA but the outside users not going through it when talking to the LB?

If you are worried for DOS against the LB and you don't have another firewall to use then I guess it is valid design.

I hope it helps.

PK

followurself Thu, 01/14/2010 - 03:44

thanks for the email

i am not sure how to give the rating here??

what i am thinking is to create a trunk interface on ASA, connect one more interface from CSS (LB ) to that switch and have all servers connected to the switch in a diff vlan with their gateway to be ASA. this way 2 interfaces of CSA will be used one to receive and one to send with tagging on ASA

Thanks

Correct Answer
Panos Kampanakis Thu, 01/14/2010 - 06:40

Yes, I see your point.

I feel sorry for the physical interface that it will see traffic twice on its subinterfaces, but I believe this is a valid scenario given you restrictions.

PK

Actions

This Discussion