Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dual Firewalls, VPN config design question?

All,

I am looking at setting up a dual firewall design with different vendors, ie Cisco at the front and another vendor behind that. The Cisco ASAs will handle the VPN terminations. This was a design recommended to us.

The reason being was the front facing firewall (cisco) will block most of the noise, and then the second firwall will do the IPS inspection etc. Apparently this is also done incase there is vulnerabilites with the first vendor. The DMZ interface will actually come off the second firewall.

What I am trying to work out, is if all remote users terminate their VPN on the front ASAs, whats the best approach to get them to route to the second firwall and then back out the internet so we can apply the users policies/and inspection?

There is no IPS inspection facilities on the front facing ASAs, just a bog stock firewall with no L7 visibility either (as this responsibility will lie with the second firewall).

Looking for any information so I can begin the research...

2 ACCEPTED SOLUTIONS

Accepted Solutions

Dual Firewalls, VPN config design question?

Dual Firewalls, VPN config design question?

Yes. Typically your VPN termination firewall will have it's normal outside interface that is connected ot the internet and the 'inside' interface will connect to a DMZ on your second firewall. No matter what, VPN traffic will have to flow through that second firewall whether to access inside resources or get filtered going out to the internet.

13 REPLIES

Dual Firewalls, VPN config design question?

New Member

Dual Firewalls, VPN config design question?

THanks Colin,

Is having the VPN termination on the forward firewall something that can be configured with some way of getting the users back behind the second firewall for IPS etc?

I've bookmarked the CVDs as something to read prior to implementation

Dual Firewalls, VPN config design question?

Yes. Typically your VPN termination firewall will have it's normal outside interface that is connected ot the internet and the 'inside' interface will connect to a DMZ on your second firewall. No matter what, VPN traffic will have to flow through that second firewall whether to access inside resources or get filtered going out to the internet.

New Member

Dual Firewalls, VPN config design question?

Thanks Colin..

Another question.

With dual firewalls, we have 3 areas, the front WWW facing (external), the internal user side, and the intermediate zone between the sets of firewalls.

WIth the intermediate zone, I plan on having a  DMZ external (Intermediate DMZ) and Internal DMZ  and there will be IPS inspection between the two zones.

My question is - for traffic that is going from the users out through to the WWW via the intermidiate zone, should I be looking at creating a new zone for separation here, ie in the attached image called "Intermediate Internal" or should I just use the "intermediate DMZ" to get users out to the WWW and remove the "Intermediate Internal'

Dual Firewalls, VPN config design question?

I don't think the extra DMZ is necessary. The diagram below is a common setup that I do for customers that are looking for an 'Internal DMZ' which is accessed only by internal and VPN users (notice that the VPN users still must pass 2 firewalls) and a 'Public DMZ' for servers that will provide services to the public.

New Member

Dual Firewalls, VPN config design question?

Thanks Colin.

So here are the zones based on your recommendation:

External

Intermediate DMZ (vlan between Internal and External Firewall)

Internal DMZ

Internal.

The internal DMZ will host the public hosts, that will be used for External users and will sit off the inside firewall (who have to bypass the first firewall, and also hit the second firewall which will do IPS inspection), as well as internal users (who will also have IPS inspection).

Is there any caveats here with this setup? We are migrating from a single FW so this is a new setup for us.

I am hoping to integrate the ASA VPN s with an Internal ISE server for authenticating and authorization that is yet to be built.

As ISE is not built and configured, would it be best to have local VPN users configured on the ASA, and then once ISE is up and running to them migrate them across to integrate with ISE?

We are only a small shop, and I expect ISE will take some time to have configured and ready to integrate with our 5525's.

New Member

THanks Colin,Is having the

THanks Colin,

Is having the VPN termination on the forward firewall something that can be configured with some way of getting the users back behind the second firewall for IPS etc?

 

I've bookmarked the CVDs as something to read prior to implementation

New Member

HI Colin,Just looking at your

HI Colin,

Just looking at your diagram again and I notice that your VPN users come in on one interface, and exit out another.

Based on that, it would seem that your design has asymetric routing as it comes into the ASA on the VPN routers and traffic leaves on the VPN DMZ to the second firewall.

Do you have issues with a design like this?

Where do you think there will

Where do you think there will be asymmetrical routing? The only way that could happen is if you tunnel all traffic, route all the traffic inside, then back out the "other" internet interface. It's not really asymmetrical , but it is not optimized routing either (but may be better security). I hope that makes sense. 

New Member

Hi Colin,As you mention, if

Hi Colin,

As you mention, if users terminate onto the ASAs (FW1) and a static route points to the next firewall (FW2) which routes out that WWW feed would that constitute asymmetrical routing, as return traffic would come back on FW2 and route back to FW1? Of course if WWW is hairpin'ed turned on the ASAs then no inspection will normally take place which I am trying to avoid for now.

In our scenario, we have IPS inspection on FW2 but not on our ASAs. I'm looking at finding a way to get both Internal and VPN users IPS inspected for both WWW and corporate traffic. I think that in this case the ASAs need to have a single leg off the FW2 so that traffic in and out of the ASA will naturally be inspected.

That is not asymmetrical

That is not asymmetrical routing. Think of the VPN users as just normal users and they happen to be behind a dmz interface instead of the inside interface. VPN user traffic can be sent to FW2 for inspection and then sent out to the internet (still through FW2). We're doing exactly what you stated-

I think that in this case the ASAs need to have a single leg off the FW2 so that traffic in and out of the ASA will naturally be inspected.

New Member

Thank you Colin, whilst I

Thank you Colin, whilst I knew that VPN users sit on the 'outside' interface, I wasnt sure how that was handled with the ASA having a static default route pointing everything out another interface especially with the statetable on the outside interface of the ASA. From what you say, there is no asymmetrical routing and I am over thinking the solution.

So even for the VPN session itself (ie connection to public IP address of ASA - connection required to maintain the VPN), does the return traffic going back to the source (client) go directly from the ASA Public IP address, or does it use the static route for the ASA which points to FW2.

If it goes directly from the Public IP of ASA it must have a implicit rule where it overides the routing table?

If you assign your VPN users

If you assign your VPN users a private IP address (think RFC1918) then it will route to that internal address that's on the DMZ. No public IP's involved. You can make the DMZ subnet between FW1 and FW2 the same as your VPN IP pool. I typically do that, seems to eliminate confusion. I hope the picture below helps explain it.

 

 

1029
Views
0
Helpful
13
Replies