cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
0
Helpful
3
Replies

ASA- AIP SSM design consideration

followurself
Level 1
Level 1

Hello

will appreciate if anyone can please suggest

we have 2 ASA 5520 with SSM modules in. behind ASA there is a CSS load balancer. this load balancer have ssl module and ssl certificate installed. since the communication from the internet to loadbalancer VIP is SSL , the SSM module configured to monitor the communication is limited since everythng is encrypted.

the communication between LB and server farm is not encryted but there is no IPS inbetween. can you suggest if someone has used the below design

int 1(public) ----ASA1----- LB 1 (dmz interface) -------- inside interface of ASA1 ( inside) where all web server resides

hence the traffic comes on port 443 for the VIP address. A static on ASA 1forwards the traffic to its dmz interface where LB 1 resides, then traffic from LB 1 unencrypted goes to the inside interface where all web serverfarm resides. by doing so we can configure SSM module to monitor the traffic from LB to webserverfarm since its between the 2 interfaces of ASA. and also we can have access -list on ASA allowing the traffic only between LB and webservers

will this be a concern on ASA performance?

is this a recommended design

Thanks

2 Accepted Solutions

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

This is a valid design and it should work.

The ASA will be seeing the traffic twice and the interface that is in fron of the LB will see the incoming traffic from the LB twice so I am not sure it is efficient. Please check how much traffic the interfaces will be seeing to see if the ASAs can handle it.

Since the LB will be the one actually pulling pages and talking to your servers why don't you have him go through the ASA but the outside users not going through it when talking to the LB?

If you are worried for DOS against the LB and you don't have another firewall to use then I guess it is valid design.

I hope it helps.

PK

View solution in original post

Yes, I see your point.

I feel sorry for the physical interface that it will see traffic twice on its subinterfaces, but I believe this is a valid scenario given you restrictions.

PK

View solution in original post

3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

This is a valid design and it should work.

The ASA will be seeing the traffic twice and the interface that is in fron of the LB will see the incoming traffic from the LB twice so I am not sure it is efficient. Please check how much traffic the interfaces will be seeing to see if the ASAs can handle it.

Since the LB will be the one actually pulling pages and talking to your servers why don't you have him go through the ASA but the outside users not going through it when talking to the LB?

If you are worried for DOS against the LB and you don't have another firewall to use then I guess it is valid design.

I hope it helps.

PK

thanks for the email

i am not sure how to give the rating here??

what i am thinking is to create a trunk interface on ASA, connect one more interface from CSS (LB ) to that switch and have all servers connected to the switch in a diff vlan with their gateway to be ASA. this way 2 interfaces of CSA will be used one to receive and one to send with tagging on ASA

Thanks

Yes, I see your point.

I feel sorry for the physical interface that it will see traffic twice on its subinterfaces, but I believe this is a valid scenario given you restrictions.

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: