Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FW-Configuration

Hi,

Need help on configuration part of the attached FW-Design.  or anyone can suggest what would be best security design in terms of DC network.

29 REPLIES
VIP Green

FW-Configuration

What type of routers are the CE routers?

I am assuming that the ASAs will be configured in an Active/Standby failover?

Is DMZ-2 providing redundancy for DMZ-1?

I would suggest moving DMZ1 and DMZ2 switches to the N5K switches as this will provide a better HA design.  have a link from both switches go towards each of the N5K switches and then configure those ports in a etherchannel on the DMZ switches and vPC on the N5K switches.

Are the L2 switches between the ASA and the CE routers stacked?  If not then I would have two links between the L2 switches configured in an etherchannel.

Between the ASAs I would use the 10Gb interfaces for failover and state links.  Then (depending on how many 10Gb ports you have) I would double up the ports to each switch.  Keep in mind this depends greatly on whether the L2 switches are able to be stacked or support vPC or VSS.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

Pls. find my answer below:

point no. 1: Router Model is 3945E

point no. 2: yes, I would like to configure ASA as Active/Standby

point no. 3: yes, DMZ-1 and DMZ-2 in Same DMZ Stack Switches

point no.4 : Moving DMZ to N5k (I m ok). but as of now the design is separate DMZ switches)

point no.5:Yes, L2 Sw between ASA and CE is stacked

point no. 6: For 10G port I need to check whether 5585-x will have one or two 10G port.

Pls. let me know if you need any more informations.

New Member

FW-Configuration

Hi,

another information, there will be 3 ISP connected to CE routers.

VIP Green

Re: FW-Configuration

So there will be a 3rd router or will one of the routers have two ISP connections?

But here is a design I would like you to consider.  It is not very different from yours but perhaps seen from another perspective with a few changes.

The routers have a link to the ISPs and one link to the L2 switch stack.  One router has a link to one switch the other router has a link to the second switch.  The inside interfaces are configured with HSRP.  I suggest not using two links from each router to the switch stack as bridging the interfaces on the router will add un-needed complexity and make things more difficult to troubleshoot.

The switch stack in turn has two links to each ASA.  Each ASA has one link going to each L2 switch and is configured as a portchannel.  The ASAs also have 2 links going between them for failover and state.  Each ASA has a link that goes to each of the N5K switches and is configured in a portchannel.  The nexus switches are configured with vPC and have 3 links between them; 1 link is for the vPC keepalive and the two others are configured in a portchannel and provide data flow between the switches.  Depending on your security requirements, the nexus switches can be configured with several VRFs.  Inter-VRF router must go through the ASA but routing within each VRF is allowed without going through the ASA.

From here, the nexus switches have a link to each switch in the DMZ stack and these links are in a vPC on the nexus switches and configured as a portchannel on the DMZ switch stack.

For security, each trunk should have a dedicated unused native vlan and all allowed VLANs should be manually configured to be allowed over the trunk.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

As per your design ASA are not cross conneting to L2 Switches.

another point as per your design.  There will be no security implemented between internal servers connected directly to 5k and DMZ.

Can you check this and suggest.

New Member

FW-Configuration

There wont be any 3rd router, it will be like 1:2 or 2:1 connections.

VIP Green

FW-Configuration

As per your design ASA are not cross conneting to L2 Switches.

Incorrect, since the switches are stacked they will be seen as one switch with regards to the ASAs.  Therefore one cable goes to switch1 the other to switch 2, but make sure to configure them in the same portchannel.

another point as per your design.  There will be no security implemented  between internal servers connected directly to 5k and DMZ.

Maybe I did not make this very clear in my description above.  keep in mind that this is not a complete design document and you will need to figure out some things for yourself based on your requirements.  I am just trying to give you some ideas that you might want to use.

The servers can be placed in either VRFs or in VLANs (again depending on your requirements and the scale of the deployment).  I would suggest VRFs.  They allow you to route directly between subnets within the same VRF and then you can force all traffic through the ASA for inter VRF communication.

If you place the servers in VLANs then you can not have SVIs within the same default VRF configured on the N5K switches as this will be doing the routing between the VLANs.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

I like to implement several vlans depend on the Server categories on both N5k as HSRP, What about conext configuration on 5585-X

New Member

FW-Configuration

Hi,

Can you give me context base solution on this design. 

-> There will be two DMZ network to be connected via L2 sw to FW

-> Two Internet RTW connected via L2 Switch.  Internet RTW to be connected to 3 different ISP

-> Another two MPLS RTW connected directly to FW to be connected to Two MPLS Service provider.

VIP Green

FW-Configuration

You would not need any contexts on the ASA unless you have specific security requirements that dictate this.  You can regulate traffic by using ACLs.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Re: FW-Configuration

Hi,

Got it thanks...I have added another link to FW for MPLS Link.  So, redesign little bit.  Can you check and help me how to implement this solution.

Attached the modified design.  total i think 8 1G port and 2 10G ports are available on this FW model(5585-X).  I think its sufficient to connect individual link.

Please help me on the configuration part.

VIP Green

Re: FW-Configuration

total i think 8 1G port and 2 10G ports are available on this FW  model(5585-X).  I think its sufficient to connect individual link.

You can set it up this way, that each device has its own port into the ASA.  Will the DMZ switches have redundant links to the ASA?  Keep in mind that if you do find that you require more ports, a cost effective way of doing things is to connect the devices to the N5K switches and then have them seperated by either using VLANs or VRFs, and then send all traffic through the ASA for filtering.

I have added another link to FW for MPLS Link.  So, redesign little  bit.  Can you check and help me how to implement this solution.

As I mentioned above I would suggest using the N5K to connect the MPLS routers and then send them through a VLAN to the ASA for filtering.  If it is a security requirement that these routers have to be connected directly to the ASA then there really is no choice but to connect them directly to the ASAs.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi

Thanks for your suggessation,

But as of now I can see there are enough ports in FW to connect all Devices individually as given below:

1 is going to n5k-1 (inside)

2 is going to DMZ SW (inside-dmz)

3 is going to L2 Sw at Internet side (outside)

4 is going to MPLS RTW ( outside)

5 & 6 are for failover

so still i will have 2 ports extra. So i think its better all link directly connected to FW.  I am thinking of easy configuration point of view.

VIP Green

FW-Configuration

If we are following you diagram we are missing two ports.  so your ports should be as follows:

1Gb ports

--------------

1 is going to n5k-1 (inside)

2 is going to n5k-2 (inside)

3 is going to DMZ SW (inside-dmz)

4 is going to L2 Sw-01 at Internet side (outside)

5 is going to L2 Sw-02 at Internet side (outside)

6 is going to MPLS RTW ( outside)

10Gb ports

---------------

7 & 8 are for failover

This is fine and you have enough ports for this.  I am suggesting using the 10Gb for failover as the state replication will require a high speed link to provide as much of a seamless failover as possible.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

You are right.

Can you help me to prepare sample configuration for this scenerio if you have time. 

Note: There are two CE RTW. 

VIP Green

FW-Configuration

I am sorry, but I am strapped for time at the moment.  I can help you with bits and pieces of the configuration, but providing a full sample will be too time consuming.

If you post your configurations, or have questions about specific portions I can help you out.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

I am ok, take your time. in the mean time I will prepare a sample config for your review.

New Member

Re: FW-Configuration

Hi Could you please check the interface configuration, first I am trying to complete interface configuration then will go for rest.

VIP Green

Re: FW-Configuration

How many VLANs will you have on the N5K switches?  If you have more than 1 VLAN on them you will need to trunk the link to the ASA, meaning you will need subinterfaces on the ASA for the ports that go to the N5K switches.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

There are lot of vlans in n5k.  I like to configure default route to fw primary address from n5k instead of vlan configured on FW, will it work ?

exam.: inside vlan will configure between fw and n5k or port-channel between fw and n5k

same for outside also.  is it feasible?

VIP Green

FW-Configuration

this will not work.  Each VLAN will have its own subnet and therefore will require a default gateway within that subnet or (in certain configurations) require a route to the default gateway IP.  In your setup you will need to use sub-interfaces on the ASA, each sub-interface will have an IP within the subnet of a specific VLAN and that IP will be the default gateway for clients on that VLAN.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

If i configure all vlans sub-interface in FW, it would be huge processing on FW, then what is use of nexus(it has high throughput and backplane capacity).

My points are

> all vlan svi will configure on n5k as hsrp so all servers will point to n5k hsrp virtual ip address.

> internal traffic will be routed within n5k

> only external traffic will go to fw.

> for external route i will put a default route on n5k towards fw ip address.

VIP Green

FW-Configuration

If you do not require any traffic filtering / security between you LAN subnets then there is no problems doing that.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

I do not require filtering within LAN.  to/from external i need FW.

I think now its possible.  if you have time pls. check my interface config...and if possible pls. update and let me know.

VIP Green

FW-Configuration

You are missing the redundant links to the N5K and the L2 switches (these would need to be in a portchannel).  Also, you would need the following command to allow traffic between the MPLS interface and N5K since they have the same  security level:

same-security-traffic permit inter-interface

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

Can you add redundant link configuration on FW to n5k and the L2 switches.

I am not sure what would be the exact port configuration between FW and n5k and between FW and L2 Switches.

Please add in my config_notepad

VIP Green

FW-Configuration

You would need to configure the ASA and the N5K as portchannels.

ASA

interface gig0/1

no shut

channel-group 1

int gig0/2

no shut

channel-group 1

int po1.10

vlan 10

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0

int po1.20

vlan 20

security-level 90

nameif inside2

ip add 20.20.20.1 255.255.255.0

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

FW-Configuration

Hi,

This configuration shows, vlans are created on FW, (client's default gateway is FW) but i wanted to configure vlan on n5k (Client's default Gateway would be n5k and nk5 will forward traffic to FW based on the inspection required or not( suppose some vlan doesn't required to go via fw and some are required)

Thanks...a lot for helping.  If you give FW to L2 configuration also..

VIP Green

FW-Configuration

Then just remove the subinterfaces.

int g0/1

no shut

channel-group 1

int g0/2

no shut

channel-group 1

int po 1

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0

(Client's default Gateway would be n5k and nk5 will forward traffic to FW based on the inspection required or not( suppose some vlan doesn't required to go via fw and some are required)

This is why I have suggested using VRFs several times.  But this is your choice.  I feel VRFs would be easier to use with regards to traffic seperation (that is a personal preference.)

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
478
Views
0
Helpful
29
Replies
CreatePlease to create content