CBAC with multiple inspection rules

Answered Question

Hi,


My customer is moving from an ASA/Pix IPsec Hub and Spoke network to a DMVPN network with 2921/881.


All the security(ACL/CBAC) will be manage at the Hub site on the Cisco 2921. I attach a simplified drawing of the HUB interfaces topology:


CBACTopology.jpg

As you can see on the drawing there are 5 active interfaces on the Cisco 2921:


LAN INT

DMZ INT

VIRTUAL INT

TUNNEL INT

WAN INT


All the interfaces have Inbound ACLs applied on them in inbound direction. So I have the following ACLs:


INSIDE_OUT for LAN INT (Manage traffic from LAN to DMZ, Internet, DMVPN and to Remote VPN clients)

DMVPN_INSIDE_OUT for TUNNEL INT (manage traffic  from DMVPN to LAN and to WAN)

VIRTUAL_INSIDE_OUT for VIRTUAL INT (Manage traffic for  remote VPN users to LAN, DMVPN and WAN)

DMZ_INSIDE_OUT for DMZ (Open for ICMP towards internet and to a server on the LAN)

INSIDE_IN for WAN INT (deny everything apart form ICMP; ESP, ISAKMP, etc)


Right now I have the 2 following CBAC rules:


IP INSPECT NAME IN_OUT applied on Outbound on WAN INT

IP INSPECT NAME OUT_IN_DMZ applied on Inbound on WAN INT (In order to let traffic initiated form Internet back from DMZ)


But now I am thinking to make all the interface traffic stateful like in an ASA I should configure an inspect rule on Inbound on each interface or I am completely wrong?


For example if I want a LAN server talk to a server on the DMZ, I should inspect traffic Inbound on the LAN right to let traffic from DMZ going back to LAN? Which mean I need a third inspect rule, no?



Regards,

Laurent

Correct Answer by Marcin Latosiewicz about 6 years 10 months ago

Laurent,


Ideally you would do inspection on all interfaces inbound.


However I think you're trying to overcomplicate things (if I may say so).


Your problem would be resolved by adding a stateful firewall on your design and terminating for example remote access VPN on it.


This would help greatly decrease load from DMVPN routers in case of spike or future growth and would let you do actual packet filtering in a stateful way on a device which was actually ment to be stateful.


I'll attach a picture in a moment of what I'm thinking off.


Marcin



edit: adding hastly done DIA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marcin Latosiewicz Wed, 09/22/2010 - 15:42
User Badges:
  • Cisco Employee,

Laurent,


Ideally you would do inspection on all interfaces inbound.


However I think you're trying to overcomplicate things (if I may say so).


Your problem would be resolved by adding a stateful firewall on your design and terminating for example remote access VPN on it.


This would help greatly decrease load from DMVPN routers in case of spike or future growth and would let you do actual packet filtering in a stateful way on a device which was actually ment to be stateful.


I'll attach a picture in a moment of what I'm thinking off.


Marcin



edit: adding hastly done DIA.

Attachment: 

Hi Marcin,


thanks a lot for your diagram and the drawing. Actually I forgot to tell you that we have redundant HUB at HUB location.

So I attach a more complete diagram of the setup right now:




As you can sse the ASA is still running and working and it is the DG for Internet LAN and DMZ right now. ASA has also somme IPSec site to site tunnels to some spokes. What we are doing here is that we are replacing the old pix at each branch location with Cisco 881 which are connected to the DMVPN. When all remote locations are replaced wiht 881 so all branch are connected to the DMVPN and no more to ASA, so we will remove the ASA, change the DG DMZ to the HSRP DMZ VIP and the ip route on the Cisco 3750 to point to the HSRP LAN VIP. Then it should work;-)


We use IP SLA on HUB1 to track the connection to Internet. If the connection is lost HUB2 become HSRP active for DMZ and LAN.



So Do you think that this design could be improve? You suggest to use the ASA to manage the security, but here there are 2 hub routers, could it be possible to do that still?


Regards,

Laurent

Marcin Latosiewicz Thu, 09/23/2010 - 06:25
User Badges:
  • Cisco Employee,

Laurent,


Disclaimer: Below is my opinion not a Cisco best practice.


Frankly this design is giving me a headache when it comes to interpreting security policy ;-)


While overall your migration path makes sense I would still consider ASA to be a better place to apply security policies then router and all security would be centralized + you would not need to mesh LAN/DMZ etc cables to all devices.


What I had in mind is all three devices, (ASA, and two routers) having direct connectivity to internet.


a separate connection where ASA would run OSPF or EIGRP (whatever you run in DMVPN cloud) to exchange routing information with DMVPN cloud and advertize DMZ and LAN to DMZVPN.

Ideally you'd have two ASAs in failover of course to provide redundancy for LAN and DMZ.


You'd have a bit more flexability + centralized security policy.


Problem with running two routers even in HSRP is that NAT is not stateful by default + problem if active fails - firewall flows are not replicated to standby.


Marcin

Marcin,


Now I understand what you mean with your design, sorry I am a bit slow:-)


I think you design is really good and you are completely right when you say that my design give you a headache!:-)


The best as you say is to let the routers do the routing while the ASA manage the security. But I guess I have to implement VRF on the routers to separate the global and the DMVPN routing table. I didn't know that ASA could run EIGRP as I am using EIGRP in the DMVPN.


Let me a few days and I will come back to you with a drawing.


Thanks a lot for your help! I rate this post to the max.


Best regards,

Laurent

Marcin Latosiewicz Thu, 09/23/2010 - 13:23
User Badges:
  • Cisco Employee,

Laurent,


Regarding VRF idea, you could easily terminate traffic on one (global?) VRF and use iVRF to routing inside DMVPN and to ASA.In fact it would be neat solution. In case of tunnel protection it's GRE which is doing VRF handoff :

http://isamology.blogspot.com/2010/01/ipsec-and-vrfs-so-whos-doing-vrf.html


If in the end you will decide to go this way - check how/if you want to integrate your RA IPsec users (DVTI being recommended).


Marcin

Actions

This Discussion