Cisco – Placement of firewall for VPN RA and L2L tunnels

ciscocisco-asaSecurityswitchingvpn

For Remote Access (RA) and LAN-to-LAN (L2L) VPN, I currently operate a pair of Cisco VPN 3005 Concentrators tied to Internet edge routers on the outside and the inside tied to an internal pair of PIX 535s on what is the firewall outside interface before being allowed to pass through to our real internal networks. Both the VPN 3005s and the PIX 535s are being replaced with the ASA-5545X platform. These firewalls are not for our primary Internet traffic, only VPN, and they may also serve as an internal firewalls for traffic going into the data center across private lines.

With the internal firewall ACLs being combined in a single firewall that serves VPN traffic and potentially other private line traffic, for security boundaries and to eliminate any potential routing issues, should the inside interface of the VPN-firewall (5545) stay in a separate subnet from the main Internet firewall or does it really not matter? OSPF is currently running on the Internet firewall (w/default-originate) and the VPN 3005. As this data center is our primary DC for web traffic — our bread and butter — I must eliminate any potential issues with the placement of the VPN firewalls that could interfere with this even in the slightest way.

**Should the inside interface of the 5545 land first on the L2 edge switches and then trunk to the agg switches for better security or just have the inside drop straight into the Agg layer, also considering that private line traffic may come through yet another interface on the 5545 in the future.

Only the relevant parts of the L3 connectivity are shown below with the ASA-5545X* that's in question.

                     Internet
                        |
               Edge rtr + Edge rtr
                        |
5545* (VPN/Internal fw) + 5540 (Internet fw for traffic in/out DC)
                        |
                  Agg-1 + Agg-2
                        |
                       etc

A pair of L2 switches connect all the edge devices before reaching the Agg switches.
Public IP space outside of firewalls, private on inside.
(Each firewall is part of a separate failover pair not shown; the 5545 and 5540
have no interaction.)

Looking for answers/comments that could be considered best practice or what you've found works best in a typical enterprise network.

Best Answer

Should the inside interface of the 5545 land first on the L2 edge switches and then trunk to the agg switches for better security or just have the inside drop straight into the Agg layer, also considering that private line traffic may come through yet another interface on the 5545 in the future

Since you did not say that the L2s would be running ACLs, I would not see a difference. I am guessing you will run tagging on the inside ASAs to the distribution layer. My firewalls connect directly to aggregation switches with a dedicated vlan that runs HSRP/VRRP between each set of firewalls and the agg switches.

As to private line traffic, I do not use ASA but I think they have the zones construct like IOS ZBF and you will keep VPN traffic from going to/from the private line traffic without going through packet filtering.

It sounds like default route points to the 5540 and you will use more specific routes to get to your internal VPN access pools and the private line addresses. The 5545 has the default route pointing to the 5540 and it is ok for VPN traffic to hit the internet directly (don't know if you split tunnel on your VPN clients) and other routes to your internal address space.

So I can not see any real problems with your plan. But some of my above assumptions may be wrong

Related Solutions

Cisco – Migrating from PIX/VPN 3000 to ASA

Regarding question 1 on mobile device licensing

Per your comment below, I did a couple tests on our ASA5525-X which has Essentials/Mobile licenses. I was indeed able to limit access using Dynamic Access Policies. I setup a test policy allowing only iOS devices on iPad2,7 models to connect in a new policy. Then I setup the default policy to terminate sessions. This worked and allowed my Verizon iPad Mini to connect but not my iPhone. Here is the license breakdown:

Session Type: AnyConnect

Username     : <user>                 Index        : 40
Assigned IP  : 10.10.121.1            Public IP    : 70.194.2.165
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials, AnyConnect for Mobile
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 3200                   Bytes Rx     : 940
Group Policy : anyconnect-split-policy
Tunnel Group : anyconnect-split-group
Login Time   : 11:46:24 EDT Fri Jun 7 2013
Duration     : 0h:01m:52s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Note: When configuring these settings, if you don't have the "Apply" button highlight afterwards, you will need to do something in ASDM that will activate the button and allow you to click it. None of the DAP settings for AnyConnect specifics would apply automatically nor trigger the Apply button so I could apply the settings. I had to go modify another setting, click apply, modify the setting back, click apply. This was using ASDM 7.1 on a 9.1.2 ASA5525-X.

Regarding question 2 on the licensing:

There are no client-side licensing options that I am aware of. The only license not necessarily tied to the ASA directly is the AnyConnect Premium which may be pulled off of a "server" ASA with a pool of session licenses for multiple "client" ASAs. In the end, they're applied to an ASA still.

Source:http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html

Cisco IPSec Site-to-site VPN. Permit traffic if VPN is down

I'm now of the opinion that this isn't practical; at least in our particular scenario.

The scheme is further complicated by the fact that traffic "to tunnel" is selected by ACL between HQ and RemoteDC, (and so we can make it as complicated as we want), but on the reverse "path" (so to speak) the VPN concentrator at the remote end is selecting the whole HQ network as the protected network.

The upshot is that these don't balance and it appears that the forward and reverse xlates don't match. Similar to having forward and reverse routes that cause traffic to fail because NAT is at play at some point.

Essentially - this is being scrapped as "too high technical risk" and requires much more evaluation and possibly more control over the remote end before it becomes a solution.

Thanks to all who looked over this.

Best Answer

Related Solutions

Cisco – Migrating from PIX/VPN 3000 to ASA

Cisco IPSec Site-to-site VPN. Permit traffic if VPN is down

Related Topic