We are the aggregation and internet access portal for school districts in our area. We also offer hosting services, etc. Right now everything connects directly into a 6513 core. Traffic between districts and the datacenter is routed through a FWSM. Traffic bound for the internet goes out through a couple of in-line URL filters and packet shapers, then to an ASA 5550.
We're needing to replace our ASA 5550, and our FWSM is out of context licenses... So now is the time to upgrade.
The idea I have is to put a 6509e where the 6513 is, and two 5585-x ASA's where the 5550 is now, and route everything, including traffic between the datacenter and districts, through the ASA's. Problem is, I don't want the URL filters and packet shaper to touch the traffic between districts and the datacenter.
I thought about having two connections from the 6500 to the ASA's. One for internet bound traffic, which would go through the filter, and one for inter-district and datacenter traffic. I can't think of any way to ensure that internet traffic takes one path, and inside traffic takes another path. The routing decision would have to be made somewhere before the ASA's... If I do that, and the traffic gets to the ASA, ran through an ACL, and back down to the 6500, and it will just keep looping.
Is there a better option?
You can set up multiple contexts on the ASA. One context will be for internet and the other for inter district. You can assign different physical interfaces to different contexts to keep the traffic physically separate. At that point, you essentially have 2 firewalls and can put things in-path for only one of them if you need to.
The routing will be done as if you have 2 firewalls. I'm not sure how you're doing routing now but this shouldn't be too difficult.
Ok, so you're saying put the filter in-line between the first and second firewall? If traffic is meant for internet it will then be sent to the 2nd firewall... That makes sense. I was thinking of having the two mostly for redundancy and failover... But what you're suggesting makes perfect sense.
I wasn't saying to use the physical firewalls in line with each other, though that would work too. It would eliminate your HA configuration though.
I was saying to set up at least 2 contexts the firewall in a failover configuration.
Assign gig0/0 and gig1/0 to context 1. (district traffic)
Assign gig0/1 and gig1/1 to context 2. (internet traffic)
Within the contexts, configure the interfaces as needed; inside/outside/subinterfaces, etc.
Route district traffic to context 1.
Route internet traffic to context 2. Put the filters and shapers inline here.
Does that make sense? There's probably something in your network that I don't understand.
Ok, I think I see what you're saying. So, how am I routing the traffic back to the district? Let's say district A is 10.1.0.0/16 and I have a route in the 6500 to send traffic bound for that district to an IP on interface gig0/0 on the ASA. Once the ASA scans that traffic, where does it send it? I guess I would route it over a separate VLAN back down to the 6500 (where it would only do layer 2) and out to the district?
I'll try to upload a drawing with some more details later.
Yes, so each district connects directly into the 6513 via its own copper port. Each district is on its own 10.x.x.x/16 subnet. The port for each district has its own vlan and has an L3 interface with a /30 subnet for routing between the 6513 and the district's router.
We do NAT at the ASA for servers and PAT for standard internet traffic.
Can you get a Nexus 7K instead of a Cat? It would be really straightforward with 2 VDCs, 1 acting as a WAN aggregation and the other being the data center.
If you can't buy that, policy routing inbound on the L3 interface might be the easiest way to go. If the traffic is destined for permitted internal subnets, send it to the proper ASA interface. If it needs to go elsewhere, use the routing table/default route to get to the internet.
It would also work the way you said in a previous post, static routes to the outside interface of the district ASA context and the inside will connect back to a L2 vlan on the switch. That's probably easier than policy routing.
Message was edited by: Robert Falconer