cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2450
Views
0
Helpful
13
Replies

Dual Firewalls, VPN config design question?

switched switch
Level 1
Level 1

All,

I am looking at setting up a dual firewall design with different vendors, ie Cisco at the front and another vendor behind that. The Cisco ASAs will handle the VPN terminations. This was a design recommended to us.

The reason being was the front facing firewall (cisco) will block most of the noise, and then the second firwall will do the IPS inspection etc. Apparently this is also done incase there is vulnerabilites with the first vendor. The DMZ interface will actually come off the second firewall.

What I am trying to work out, is if all remote users terminate their VPN on the front ASAs, whats the best approach to get them to route to the second firwall and then back out the internet so we can apply the users policies/and inspection?

There is no IPS inspection facilities on the front facing ASAs, just a bog stock firewall with no L7 visibility either (as this responsibility will lie with the second firewall).

Looking for any information so I can begin the research...

2 Accepted Solutions

Accepted Solutions

Yes. Typically your VPN termination firewall will have it's normal outside interface that is connected ot the internet and the 'inside' interface will connect to a DMZ on your second firewall. No matter what, VPN traffic will have to flow through that second firewall whether to access inside resources or get filtered going out to the internet.

View solution in original post

13 Replies 13

Collin Clark
VIP Alumni
VIP Alumni

THanks Colin,

Is having the VPN termination on the forward firewall something that can be configured with some way of getting the users back behind the second firewall for IPS etc?

I've bookmarked the CVDs as something to read prior to implementation

Yes. Typically your VPN termination firewall will have it's normal outside interface that is connected ot the internet and the 'inside' interface will connect to a DMZ on your second firewall. No matter what, VPN traffic will have to flow through that second firewall whether to access inside resources or get filtered going out to the internet.

Thanks Colin..

Another question.

With dual firewalls, we have 3 areas, the front WWW facing (external), the internal user side, and the intermediate zone between the sets of firewalls.

WIth the intermediate zone, I plan on having a  DMZ external (Intermediate DMZ) and Internal DMZ  and there will be IPS inspection between the two zones.

My question is - for traffic that is going from the users out through to the WWW via the intermidiate zone, should I be looking at creating a new zone for separation here, ie in the attached image called "Intermediate Internal" or should I just use the "intermediate DMZ" to get users out to the WWW and remove the "Intermediate Internal'

I don't think the extra DMZ is necessary. The diagram below is a common setup that I do for customers that are looking for an 'Internal DMZ' which is accessed only by internal and VPN users (notice that the VPN users still must pass 2 firewalls) and a 'Public DMZ' for servers that will provide services to the public.

Thanks Colin.

So here are the zones based on your recommendation:

External

Intermediate DMZ (vlan between Internal and External Firewall)

Internal DMZ

Internal.

The internal DMZ will host the public hosts, that will be used for External users and will sit off the inside firewall (who have to bypass the first firewall, and also hit the second firewall which will do IPS inspection), as well as internal users (who will also have IPS inspection).

Is there any caveats here with this setup? We are migrating from a single FW so this is a new setup for us.

I am hoping to integrate the ASA VPN s with an Internal ISE server for authenticating and authorization that is yet to be built.

As ISE is not built and configured, would it be best to have local VPN users configured on the ASA, and then once ISE is up and running to them migrate them across to integrate with ISE?

We are only a small shop, and I expect ISE will take some time to have configured and ready to integrate with our 5525's.

THanks Colin,

Is having the VPN termination on the forward firewall something that can be configured with some way of getting the users back behind the second firewall for IPS etc?

 

I've bookmarked the CVDs as something to read prior to implementation

switched switch
Level 1
Level 1

HI Colin,

Just looking at your diagram again and I notice that your VPN users come in on one interface, and exit out another.

Based on that, it would seem that your design has asymetric routing as it comes into the ASA on the VPN routers and traffic leaves on the VPN DMZ to the second firewall.

Do you have issues with a design like this?

Collin Clark
VIP Alumni
VIP Alumni

Where do you think there will be asymmetrical routing? The only way that could happen is if you tunnel all traffic, route all the traffic inside, then back out the "other" internet interface. It's not really asymmetrical , but it is not optimized routing either (but may be better security). I hope that makes sense. 

switched switch
Level 1
Level 1

Hi Colin,

As you mention, if users terminate onto the ASAs (FW1) and a static route points to the next firewall (FW2) which routes out that WWW feed would that constitute asymmetrical routing, as return traffic would come back on FW2 and route back to FW1? Of course if WWW is hairpin'ed turned on the ASAs then no inspection will normally take place which I am trying to avoid for now.

In our scenario, we have IPS inspection on FW2 but not on our ASAs. I'm looking at finding a way to get both Internal and VPN users IPS inspected for both WWW and corporate traffic. I think that in this case the ASAs need to have a single leg off the FW2 so that traffic in and out of the ASA will naturally be inspected.

That is not asymmetrical routing. Think of the VPN users as just normal users and they happen to be behind a dmz interface instead of the inside interface. VPN user traffic can be sent to FW2 for inspection and then sent out to the internet (still through FW2). We're doing exactly what you stated-

I think that in this case the ASAs need to have a single leg off the FW2 so that traffic in and out of the ASA will naturally be inspected.

Thank you Colin, whilst I knew that VPN users sit on the 'outside' interface, I wasnt sure how that was handled with the ASA having a static default route pointing everything out another interface especially with the statetable on the outside interface of the ASA. From what you say, there is no asymmetrical routing and I am over thinking the solution.

So even for the VPN session itself (ie connection to public IP address of ASA - connection required to maintain the VPN), does the return traffic going back to the source (client) go directly from the ASA Public IP address, or does it use the static route for the ASA which points to FW2.

If it goes directly from the Public IP of ASA it must have a implicit rule where it overides the routing table?

If you assign your VPN users a private IP address (think RFC1918) then it will route to that internal address that's on the DMZ. No public IP's involved. You can make the DMZ subnet between FW1 and FW2 the same as your VPN IP pool. I typically do that, seems to eliminate confusion. I hope the picture below helps explain it.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: