Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
0
Helpful
4
Replies

ACE Security design question

dclee
Level 1
Level 1

‎10-01-2013 06:32 AM

We currently use 2 ACE 4710's in active standby mode in our DMZ to terminate all inbound SSL connections to backend web servers.

To date this has worked well.

The Ace's are in one arm mode hanging off one of our Firewall DMZ interfaces.

I also use one ACE 4710 internally to load balance our exchange environments. This has also worked well..

But

I would like to move the Exchange load balancing to our ACE cluster in the DMZ and repurpose the internal ACE for our LAB.

From a design perspective are there any security concerns sending our Exchange traffic thru the firewall to the DMZ ACE's which are

internet facing ?

Of course the ASA will be handling all of the ACL's, so I dont see a problem with the design..

Was looking for advice / opinions

Cheers


Dave                  

Labels:
0 Helpful
4 Replies 4

pablo.nxh
Level 3
Level 3

‎10-02-2013 06:08 PM

Hi Dave,

Personally I don't see any flaw on doing this. Assuming that currently your SMTP traffic is flowing from the ASA outside-> inside interface -> to the internal-ACE VIP and from there to your servers, if this is the case, then moving your exchange servers to the DMZ will only represent a small NAT/Routing configuration on your ASA and a matter of replicating the configuration from ACE to ACE considering the IP changes.

The other (unlikely) scenario is that SMTP traffic is not going through the ASA and somehow routed directly from the internet facing router to the ACE, in this case you'll be adding security to the connection which is just great!

I feel that most of the considerations need to be made from an ASA point of view (security-levels wise), on the ACE side, no biggie!

HTH

__ __

Pablo

0 Helpful

dclee
Level 1
Level 1
In response to pablo.nxh

‎10-03-2013 06:54 AM

Here is what we are looking to do for internal client mail connections

0 Helpful

pablo.nxh
Level 3
Level 3
In response to dclee

‎10-03-2013 01:50 PM

Dave,

I don't see a problem with your new design; just keep in mind you'll be moving to what's called a "routed" mode so the DMZ-ACE needs to be configured with an IP from the internal VLAN, you can either configure the current connection between the ASA and ACE as a trunk or just connect one of the ACE ports to the internal switch.

You'll need source NAT performed on the ACE to avoid asymmetric routing specially for the request coming from the internal VLAN (reverse proxy).

HTH

__ __

Pablo

0 Helpful

Jorge Bejarano
Level 4
Level 4

‎10-07-2013 09:42 PM

Hey David,

How are you?

I hope eveything is good in Canada!

Your plan looks good and should go well!

Jorge

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents