Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
5
Helpful
3
Replies

Need some direction on FW Redundancy and opening ports

Mark Mattix
Level 2
Level 2

‎08-07-2013 01:00 PM - edited ‎03-11-2019 07:23 PM

I would appreciate any advice on the current ways of connecting 2 Firewalls directly for redundancy and also the best practice for allowing data through the firewall. Do firewalls have a stacking technology similar to StackWise or FlexStack? I need to allow specific ports through my network into another private network. Although this won't be connected to the internet the same type of security as if it were, is important. Sorry if this is a generic question but what methods would be best for allowing data to and from through my network firewall? I would grealty appreciate any sample configurations (I don't plan on configuring zones) or documentation on the current way of allowing these functions. Thanks for your help!

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎08-07-2013 01:40 PM

Hi,

There are 2 different options to my knowledge to have firewall redundancy with Cisco firewalls.


The most common one is Active/Standby Failover which you have 2 identical (hardware & software) Cisco firewalls connected by a Failover link. One of the the firewalls is the Active unit and handles traffic while the other unit is Standby monitoring the state of the Active device (and vice versa). When the Active unit fails the Standby unit will take the Active role.

Another option is Active/Active which basically means that you would be running multiple virtual Firewalls inside the actual hardware firewall. Some virtual firewalls would be Active on hardware unit 1 and some virtual firewalls would be Active unit would be Active on hardware unit 2. Hence the term Active/Active, both firewalls would be handling traffic.

ASA 9.0 Configuration Guide section on Failover

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_overview.html

The second and new option is Cluster setup where you essentially combine multiple identical firewalls together. This is a subject though that I have not gotten to test myself so my knowledge is very limited. Though to my understanding this is available only with high end ASA5585-X units so it might not be an option for most.

ASA 9.0 Configuration Guide section on Cluster

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html

So most likely you will be using Active/Standby Failover with 2 identical Cisco firewalls.

Their configuration format compared to a standalone firewall doesnt differ much.

  • You will configure a "standby" IP address also on the ASA that will be the IP address that the Standby unit uses
  • You will configure the actual Failover interface
  • You will configure general Failover related settings
  • You can tune the Failover settings and define which interfaces are monitored (and can effect the Failover) and set some other additional parameters

So there is not that much to configure compared to the standalone Cisco firewall setup.

Your post seems to indicate that this firewall or firewall pair would be used for Internal network usage. I mean a firewall between 2 LAN/DMZ networks. This would in turn mean that unless you specifically need NAT between these network segments, you could actually leave the NAT configuration of the firewall completely blank and only configure the Routing&Firewalling related settings.

How you would configure access between the 2 different network segments would naturally depend on your own setup.

From what I understood from your above post it would seem to me that you should configure ACLs on both interfaces connected to their own network segments. These ACLs would be configured in Inbound direction (which would control traffic heading towards the firewall from that segment and into the other segment). You could then configure both ACLs in the manner that ONLY the required source/destination IP addresses/networks/ports are allowed and all other traffic is blocked.

I am not really sure what kind of example configuration we could give you as we dont really know what the whole setup is going to be.

Hope this helps

- Jouni

Mark Mattix
Level 2
Level 2
In response to Jouni Forss

‎08-07-2013 01:55 PM

Thank you very much for your response JouniForss. This is a sample of what the topology would look like:

| 2 redundant ASAs for my network | --------------->  | 2 redundant ASAs to another network |

How the other network is connected really isn't a concern of mine but just for informational purposes it's another private network and the link to the network is directly firewall to firewall.

     "These ACLs would be configured in Inbound direction (which would control traffic heading towards the firewall from that segment and into the other segment). You could then configure both ACLs in the manner that ONLY the required source/destination IP addresses/networks/ports are allowed and all other traffic is blocked."

Do you mean, an inbound ACL on the internal interface of my firewalls and on the external interface would be best for my setup? Also I don't understand enough about hacking... Lets say I want to allow the subnet 192.168.1.0 /24 to come into my firewall on port 2000. Would I also specifiy the IP of my internal server that they are allowed to connect to and is this command the only mechanism stopping them from potentially entering another server that is using port 2000? What is the possibility of my allowing them to a specific server IP on port 2000 and them gaining access to a completely different IP and port number internally?

Thanks for your help!

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Mark Mattix

‎08-07-2013 02:19 PM

Hi,

If we presume that the firewalls you manage are purely used for this connection between the 2 network segments then this means that you probably wont need any NAT. This would essentially mean that you would be using the real/local IP addresses in the firewall. This naturally makes the ACLs building (and the firewall rules in general) pretty simple since you dont have to keep track of Real and Mapped addresses with NAT.

Now if your aim is to configure pretty strict ACLs then you would naturally build and ACL to allow traffic only

  • To a certain host IP address on your network
  • To a certain destination protocol and port (TCP/UDP)
  • From a certain source network or a certain source host

So you would only be allowing traffic to the from the specific source to a specific destination and only the services/ports they need. This would not open access to any other host/service on your Internal network.

Naturally this still means that they are allowed to access on those ports and if the remote site/network should be compromised it could mean these ACL rules could provide chance for some malicious traffic. But naturally you will have to allow this traffic to enable the use of the services needed.

And naturally the firewall should not be the only device controlling/securing the network. Each host and server should have appropriate protection on the software side and be issued updates to correct possible vulnerability that might arise.

Then there is naturally different IPS devices you could implement to protect the network.

Naturally there is also an option that you could locate some device/host/server that the remote network needs to access on a DMZ section of your firewalls and therefore it would give you a chance to limit its connectivity to your Internal network while at the sametime allowing Internal network to connect to the DMZ resources if needed. Essentially isolate this resource that the remote site needs to access so that even if it was compromised it would still be located on the DMZ and have limited to no access to your Internal network.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card