Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA CX traffic flow for remote offices (with AD identity)

Hello there,

I am designing web security for a customer with central and remote offices. All remote locations will be connected over DMVPN. Users in remote locations are Active Directory joined. What I am struggling with are two dilemmas:

1. AD users in remote locations will need to pass ASA CX web filtering policies in the central location. How is the traffic from the remote locations is going to be switched? All the Internet traffic from remote locations will have to traverse the VPN up to the central location and go out through the central location's Internet link or only the web policy is going to be checked against remote AD users and the Internet traffic is going to be switched over the local Internet link in the remote locations?

 

2. For this scenario from the routing point of view, what would be the best design for the central location? First the router to terminate the DMVPN traffic and behind the router should I place the ASA CX or I would need to have an external ASA (with DMZ service required), then DMVPN router and again internal ASA with CX?

 

Thanks a lot for your suggestions.

Remi

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Yes, Scansafe CWS relies on

Yes, Scansafe CWS relies on the Cisco-hosted cloud-based service. It cannot be handled in the sort of proxy method you asked about.

You're right that if, as you need in your situation, going through the hub site DMVPN router is necessary then the Internet-bound traffic from remote office end users getting to the ASA for inspection and policy enforcement is problematic.

I suppose you could use a VRF. Another idea that comes to mind would be policy-based routing. With PBR you could just direct all Internet-bound traffic from those remote office subnets to the ASA inside interface where they could get the full benefit of the NGFW policy enforcement.

5 REPLIES
Hall of Fame Super Silver

For the CX to inspect traffic

For the CX to inspect traffic it will have to be diverted to the module by a service-policy in the ASA. If you want a central CX to do that for you, then all of your Internet-bound DMVPN traffic will have to be routed into and through the ASA.

Have you considered an alternate approach such as perhaps using Scansafe Cloud Web Security for the remote users and then allowing their Internet-bound traffic to go out locally?

New Member

Thanks a lot Marvin. This

Thanks a lot Marvin. This service is Cisco hosted services correct? Can this locally be run on centralized ASA with cloud licensing and having ISR G2 remote routers talking to ASA?

You see in the remote locations all the Internet traffic will be blocked except some websites for work purposes so I was thinking to redirect all the remote locations traffic through VPN and the centralized ASA since all the remote users authenticate on AD. This could be difficult though because in my design the Hub VPN router is before ASA (both are in central location) so how to redirect all the Internet traffic from VPN to ASA and back to the VPN router since this router has a default route to the Internet and could route the Internet traffic before even passing it to ASA, should I enable VRFs?

 

Thanks,

Remi

Hall of Fame Super Silver

Yes, Scansafe CWS relies on

Yes, Scansafe CWS relies on the Cisco-hosted cloud-based service. It cannot be handled in the sort of proxy method you asked about.

You're right that if, as you need in your situation, going through the hub site DMVPN router is necessary then the Internet-bound traffic from remote office end users getting to the ASA for inspection and policy enforcement is problematic.

I suppose you could use a VRF. Another idea that comes to mind would be policy-based routing. With PBR you could just direct all Internet-bound traffic from those remote office subnets to the ASA inside interface where they could get the full benefit of the NGFW policy enforcement.

New Member

Policy-based routing sounds

Policy-based routing sounds like a solution I would go for, only need to test it in the lab.

Thanks a lot for this clue!

Can I ask you a favor and look at my other post on designing security services with ASAs, I would much appreciate your valuable input on that.

"ASA NG 5515-X multicontext support for WSE/AVC and IPS"

Best regards,

Remi

New Member

Hi Marvin,Hope you're doing

Hi Marvin,

Hope you're doing well. We had this conversation a while back but I hope you can help me with a small doubt I have and something tells me you are the guy who knows lots of stuff on ASA.

I am designing site-to-site VPN with ASAs 5512-X. The main site will have ASA with CX web and apps filtering and AD based users authenticating and the ASA CX. The remote site users are AD based users as well and talking to AD server in the main site over VPN.

What I want to achieve is that remote AD users are web filtered on the ASA CX in the main site (the remote site ASA CX will not have the license) but the Internet traffic will go out locally on the remote site - without the whole traffic flowing between the sites back and forward but only CX authentication. Is that possible?

I know you can easily achieve remote site CX authentication with the Internet traffic going out on the main site. The scenario with the remote site traffic going first to the main site (over VPN), coming back to the remote site and coming out of the local Internet connection on the remote site does not make much sense but it would be very interesting if on the remote site I could do remote proxy (ASA CX main site) but the Internet traffic would not cross the VPN but would be locally routed.

In case this is possible with ASA in the remote site would it also be possible with a router in the remote site?

Please advise Marvin and hopefully you can get back to me very soon.

Best regards,

Remi

 

 

119
Views
0
Helpful
5
Replies
CreatePlease to create content