The requirement is to design a two layered defense architecture.
The first logical layer shall include
a) Cisco ASA with CSC-SSM first and then
b) Cisco ASA with AIP-SSM
(No server farms placed between CSC-SSM and AIP-SSM)
The second layer shall include
a) FWSM in CAT6500
My query is that since all the necessary access-lists/NAT will be configured within Cisco ASA CSC-SSM (internet edge), should the access-list in the ASA AIP-SSM be 'permit ip any any' and then divert all traffic to AIP-SSM. Or should there be any additional firewall configuration in ASA with AIP-SSM.
ASA-csc url filtering Packet filtering which mean ACLs permit and deny based on L3 IPs and L4 ports and NATing as required
and try as much as possible to reduce number of nating application in ur layred topology i mean if u do nating in each firewall it gonna be a complex topology and hard to make any troubleshooting in the future
after u have done packet and url filtering
now go to the second security layer
which is the ASA-AIP
in this one inspect the prmited trafic from the edge firewall ASA-csc and do what ever inline inspection through this firewall and AIP module
filally on the FWSM do more specific filitering and NATing if required basd on ur servers
keep in mind than with FWSM all traffic is denied by defaul even from higher level to lower level interfaces not like ASA so u need for example a permit statment with ACl be applied on the inside interface to allow traffic to flow through the firewall and so on
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :