Dual Firewall Design&Routing - Diagram attached

Dean-VA · ‎09-03-2010

We need to implement a dual firewall (ASA’s) solution to provide some connectivity between 2 separate Networks that are in the same physical location. Each firewall will have an interface connected to a switch. The switch will be configured with two layer-2 VLAN’s, and each firewall interface will serve as the Layer-3 for the VLAN.

Just to give you an idea, clients on VLAN-20 will need access to resources on Network-B, but they will not have access to Network-A. Clients on VLAN-10 might need access to both Networks.

I just can’t figure out the best way to route the traffic between all of these networks. I will have to add static routes on Network-A Core since it doesn’t run any routing protocols, which is fine. I am just trying to figure a way to run a routing protocol for the rest of the setup. The switch where the firewalls are connected to is a Layer-3, and will be able to run BGP,OSPF, etc. I have the ability if I want to run BGP and neighbor the router on Network-B, but I just can’t figure out how to extend the routing to the ASA’s.

I know this sound confusing, but hopefully you get the idea.

Your input will be much appreciated.

Jon Marshall · ‎09-03-2010

isalem wrote:

We need to implement a dual firewall (ASA’s) solution to provide some connectivity between 2 separate Networks that are in the same physical location. Each firewall will have an interface connected to a switch. The switch will be configured with two layer-2 VLAN’s, and each firewall interface will serve as the Layer-3 for the VLAN.

Just to give you an idea, clients on VLAN-20 will need access to resources on Network-B, but they will not have access to Network-A. Clients on VLAN-10 might need access to both Networks.

I just can’t figure out the best way to route the traffic between all of these networks. I will have to add static routes on Network-A Core since it doesn’t run any routing protocols, which is fine. I am just trying to figure a way to run a routing protocol for the rest of the setup. The switch where the firewalls are connected to is a Layer-3, and will be able to run BGP,OSPF, etc. I have the ability if I want to run BGP and neighbor the router on Network-B, but I just can’t figure out how to extend the routing to the ASA’s.

I know this sound confusing, but hopefully you get the idea.

Your input will be much appreciated.

It's not clear whether your firewalls are in a pair or whether one serves one vlan and one the other. From the look of the diagram it looks like they are in a pair ?

Also if you have a L3 switch but the vlan interfaces are on the firewall(s) then there is little point running a routing protocol on the internal L3 switch which hosts vlan 10 & 20.

Either use statics on the ASAs or run OSPF on them and redistribute the BGP routes into OSPF on the MPLS router.

I'm assuming you are not running multi context on the ASA devices.

Jon

Dean-VA · ‎09-03-2010

Hi Jon and thanks for responding.

The firewalls are not in pair and will function as two independent firewalls. I haven't decided 100% yet, but most likely one will serve each vlan, and no multi context on the firewalls.

I thought about the OSPF on the ASA's, but I can't run it on the MPLS BGP router. I am trying to figure out a way where I can utilize the Layer-3 switch, but I am just not sure how. I would consider having the layer-3 vlan interfaces on the switch instead of the firewall, but I don't want to open up access between the vlans, etc.

Jon Marshall · ‎09-03-2010

What is the Network B core switch ? Is it a L3 switch ?

How do the BGP routes learnt by your MPLS router get to internal routers or are you not redistributing.

Do you have a big issue with statics ? - there aren't that many devices and it could be a solution especially as the ASAs are not a pair.

Out of interest why are they not a pair as this would give you more redundancy ?

Jon

Dean-VA · ‎09-03-2010

It's a layer-2, but the ISR above it does the L-3 vlan routing.

As of today, Network B is not connected, but the router on the diagram (network -B) is the CE router so it has all the BGP routes for the rest of the network.

I can do statics, but they put no effort in designing the IP scheme for network B, it's almost impossible to summerize anything. They used public IP's (but that's a different story). I will probably need to add over 50 static routes to cover everything.

The reason they are not in pair is because management feels better about having 2 firewalls infront of Network-B. It's mainly political reason

martin_knorre · ‎09-04-2010

It's not 100% clear to me

But I think you would build up a DMZ (LAN) between the 2 ASAs ??

If so, I would configure a Layer 3 Switch with Static Routing, if you have only some clients in the Network its not necessary to build up an OSPF Area, or BGP. Btw BGP is not supported on the ASA. Therefore build up a standalone network with a 3750g in the DMZ and setup static routing

Hope that helps,

Martin

Dean-VA · ‎09-06-2010

Thanks all! I guess I will just use static routing.

One last question. How do you recommend connecting the firewalls in dual setup? Would a cross-over cable do the job or is it better to use the switch?

Thanks

Jon Marshall · ‎09-06-2010

isalem wrote:
Thanks all!  I guess I will just use static routing.
One last question.  How do you recommend connecting the firewalls in dual setup?  Would a cross-over cable do the job or is it better to use the switch?
Thanks

Re the static routing. If you have a lot of public IPs to route to on network B don't forget you can use a default-route for Network B and then the more specific routes for Network A, assuming Network A has less routes to specify.

As for failover you can use either to be honest. If you have 2 switches each connected to the an ASA then lan based failover works fine, if you have only switch then that is a single point of failure and if it fails then both firewalls can think they are active.

Jon