Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
lap
Community Member

CBAC with multiple inspection rules

Hi,

My customer is moving from an ASA/Pix IPsec Hub and Spoke network to a DMVPN network with 2921/881.

All the security(ACL/CBAC) will be manage at the Hub site on the Cisco 2921. I attach a simplified drawing of the HUB interfaces topology:

CBACTopology.jpg

As you can see on the drawing there are 5 active interfaces on the Cisco 2921:

LAN INT

DMZ INT

VIRTUAL INT

TUNNEL INT

WAN INT

All the interfaces have Inbound ACLs applied on them in inbound direction. So I have the following ACLs:

INSIDE_OUT for LAN INT (Manage traffic from LAN to DMZ, Internet, DMVPN and to Remote VPN clients)

DMVPN_INSIDE_OUT for TUNNEL INT (manage traffic  from DMVPN to LAN and to WAN)

VIRTUAL_INSIDE_OUT for VIRTUAL INT (Manage traffic for  remote VPN users to LAN, DMVPN and WAN)

DMZ_INSIDE_OUT for DMZ (Open for ICMP towards internet and to a server on the LAN)

INSIDE_IN for WAN INT (deny everything apart form ICMP; ESP, ISAKMP, etc)

Right now I have the 2 following CBAC rules:

IP INSPECT NAME IN_OUT applied on Outbound on WAN INT

IP INSPECT NAME OUT_IN_DMZ applied on Inbound on WAN INT (In order to let traffic initiated form Internet back from DMZ)

But now I am thinking to make all the interface traffic stateful like in an ASA I should configure an inspect rule on Inbound on each interface or I am completely wrong?

For example if I want a LAN server talk to a server on the DMZ, I should inspect traffic Inbound on the LAN right to let traffic from DMZ going back to LAN? Which mean I need a third inspect rule, no?

Regards,

Laurent

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CBAC with multiple inspection rules

Laurent,

Ideally you would do inspection on all interfaces inbound.

However I think you're trying to overcomplicate things (if I may say so).

Your problem would be resolved by adding a stateful firewall on your design and terminating for example remote access VPN on it.

This would help greatly decrease load from DMVPN routers in case of spike or future growth and would let you do actual packet filtering in a stateful way on a device which was actually ment to be stateful.

I'll attach a picture in a moment of what I'm thinking off.

Marcin

edit: adding hastly done DIA.

5 REPLIES
Cisco Employee

Re: CBAC with multiple inspection rules

Laurent,

Ideally you would do inspection on all interfaces inbound.

However I think you're trying to overcomplicate things (if I may say so).

Your problem would be resolved by adding a stateful firewall on your design and terminating for example remote access VPN on it.

This would help greatly decrease load from DMVPN routers in case of spike or future growth and would let you do actual packet filtering in a stateful way on a device which was actually ment to be stateful.

I'll attach a picture in a moment of what I'm thinking off.

Marcin

edit: adding hastly done DIA.

lap
Community Member

Re: CBAC with multiple inspection rules

Hi Marcin,

thanks a lot for your diagram and the drawing. Actually I forgot to tell you that we have redundant HUB at HUB location.

So I attach a more complete diagram of the setup right now:


As you can sse the ASA is still running and working and it is the DG for Internet LAN and DMZ right now. ASA has also somme IPSec site to site tunnels to some spokes. What we are doing here is that we are replacing the old pix at each branch location with Cisco 881 which are connected to the DMVPN. When all remote locations are replaced wiht 881 so all branch are connected to the DMVPN and no more to ASA, so we will remove the ASA, change the DG DMZ to the HSRP DMZ VIP and the ip route on the Cisco 3750 to point to the HSRP LAN VIP. Then it should work;-)

We use IP SLA on HUB1 to track the connection to Internet. If the connection is lost HUB2 become HSRP active for DMZ and LAN.

So Do you think that this design could be improve? You suggest to use the ASA to manage the security, but here there are 2 hub routers, could it be possible to do that still?

Regards,

Laurent

Cisco Employee

Re: CBAC with multiple inspection rules

Laurent,

Disclaimer: Below is my opinion not a Cisco best practice.

Frankly this design is giving me a headache when it comes to interpreting security policy ;-)

While overall your migration path makes sense I would still consider ASA to be a better place to apply security policies then router and all security would be centralized + you would not need to mesh LAN/DMZ etc cables to all devices.

What I had in mind is all three devices, (ASA, and two routers) having direct connectivity to internet.

a separate connection where ASA would run OSPF or EIGRP (whatever you run in DMVPN cloud) to exchange routing information with DMVPN cloud and advertize DMZ and LAN to DMZVPN.

Ideally you'd have two ASAs in failover of course to provide redundancy for LAN and DMZ.

You'd have a bit more flexability + centralized security policy.

Problem with running two routers even in HSRP is that NAT is not stateful by default + problem if active fails - firewall flows are not replicated to standby.

Marcin

lap
Community Member

Re: CBAC with multiple inspection rules

Marcin,

Now I understand what you mean with your design, sorry I am a bit slow:-)

I think you design is really good and you are completely right when you say that my design give you a headache!:-)

The best as you say is to let the routers do the routing while the ASA manage the security. But I guess I have to implement VRF on the routers to separate the global and the DMVPN routing table. I didn't know that ASA could run EIGRP as I am using EIGRP in the DMVPN.

Let me a few days and I will come back to you with a drawing.

Thanks a lot for your help! I rate this post to the max.

Best regards,

Laurent

Cisco Employee

Re: CBAC with multiple inspection rules

Laurent,

Regarding VRF idea, you could easily terminate traffic on one (global?) VRF and use iVRF to routing inside DMVPN and to ASA.In fact it would be neat solution. In case of tunnel protection it's GRE which is doing VRF handoff :

http://isamology.blogspot.com/2010/01/ipsec-and-vrfs-so-whos-doing-vrf.html

If in the end you will decide to go this way - check how/if you want to integrate your RA IPsec users (DVTI being recommended).

Marcin

1899
Views
5
Helpful
5
Replies
CreatePlease to create content