This is my first post here I hope this will be helpful
I have network that is look like the attached image and also there is a remote branches that will be connected using tunnels and will be controlled by router
My question is how should I configure ASA 5525-x with firepower module and where to place it I mean is it placed in right position now and for your information it should handle ssl client & clientless vpn with any connect how should I configure it to filter the traffic from the router and terminate vpn connection at the same time should I connect the ASA to the router and to the ISP
ASAs placed in the right place if you peer with your ISP and have own AS and address block. But if you do not have these, so I think routers are just useless - you could connect ASAs directly to ISP.
Configuration should be done based on your needs. To filter traffic from the router you need just to name external ASA interfaces as 'outside' and internal as 'inside'. After this no traffic will be allowed from outside to inside (unless you permit it via ACL or NAT).
Also good practice is to create separate DMZ for application servers which must be accessible from Internet.
thank you my friends (duke & andreas) i understand your suggestions and i know what can i do with ASA but the problem is i can't change the design because as i said i use router for dmvpn connections which will be with remote sites and the ASA is already placed after the router like you saw now i need to make the ASA work as vpn terminal (ssl vpn ) and i think with that i need public ip at the same time i need the ASA to filter the traffic that comes from the router to the inside network so my question is how can i configure the ASA to do both needs without changing the design or removing the router
Why this way.. I tasked in my job to avoid any possible single points of failure, so ASAs need redundant stateful failover link, I do it as port-channel. Then I connect this link via separate switch to avoid split-brain scenarios (when bot ASAs would get folink down). Every ASA also connected by inside and outside interfaces to different switches.
Yes. I think you will need additional IP address(es) from your ISPs. I would not connect ASAs between edge routers and LAN switches, because not all the traffic between DMVPN cloud and LAN is even needed on ASA. But you will still have the ability for your VPN clients on ASA get resources on your LAN and DMVPN cloud - just ocnfigure routing the right way.
Also I would recommend to configure ASAs as Active/Active failover with multiple contexts. Maybe you do not need this right now, but you will need it later and you won't do it now, later migration will be painful.
I know your design and i've used it in another network and it's good for filtering traffic between inside network and let say DMZ network that connected to the ASA but the traffic that comes from the router still out of the line and I know you mean that itdoesn't need filtering because of the tunnel and it's encryption but as I say to you for me it's important to filter that traffic as well as making client SSL VPN that's what i need to do
To terminate VPNs you dont need to have public IPs in general (meaning you can terminate VPNs on any IP you want), you could also choose to do some NAT/PAT on the routers for the ports you need for the VPNs.
But depending on how much your ISP will charge you for a small public IP range (which you can then use in the area between the Internet routers and the firewalls) it would be worth the extra money to have cleaner and more scalable setup.
For my personal preference i would not choose to have unprotected routing/switching between Internet(outside) and the Corporate(inside) like duke mentioned. It doesnt hurt to have traffic over the ASA which dont need to be filtered, but in case you have the need for that later you can just kick out the any rule (like for the remote brances) and put in some proper rules.
Not every traffic from your branches is good and its much easier to gain access to a remote branch in comparsion to a datacenter or headquater building so you gotta protect yourself :-) (#safernetworking).
Additionaly with the ASA in the traffic flow you can gather statistics about top talkers and protocol distribution and so on which comes in handy in case you have to troubleshoot.
Sure you have to check if the throughput of the ASA meets the requirements of your traffic.
do you mean ssl vpn can be configured using private IPs can you explain to me how the outside user can reach the ASA because i can give my ASA public ip but that will be achieved by bypassing the router and give a direct link from the ISP to the ASA
and if i do that doesn't that will make another routing problem because i want any user from inside network go to the internet through the router if the ASA has an interface with public IP doesn't that will make any conflict?
of course you can not use private ip address to Access the vpn from the Client in the Internet but as I said you can do Destination NAT on your Edge Routers, so you can use the public IP of the router for the clients to connect to the vpn, and NAT the packet to the private IP of the ASA.
Article ID:3091 Reboot and Factory Default Reset on ISA500 Series
Integrated Security Appliances Objective Reboot or restart of the
network device is made when certain changes in the settings need reboot
or if the device is frozen. The configuration setti...
Article ID:3403 WAN Quality of Service (QoS) Policy Profiles Settings on
ISA500 Series Integrated Security Appliances Objective Wide Area Network
(WAN) Quality of Service (QoS) policy profiles manage traffic through
classed-based profiles. These profiles ...
Article ID:2922 Cisco QuickVPN Installation Tips for Windows Operating
Systems For a video showing installation tips on Quick VPN, visit
http://youtu.be/hHu2z6A78N8 Objective Cisco QuickVPN is a free software
designed for remote access to a network. It is...