How do ASA firewalls and UTM perimeter firewalls differ?
Firewall – the difference between an ASA firewall and UTM firewall
cisco-asafirewall
Related Solutions
Here is a description of one solution:
Create 4 additional VLANs on the L2 trunk. Place the firewalls between the router and L3 switches, and use 3 VLANS to connect the inside, outside and DMZ interfaces, turning the firewalls into a HA (failover) pair. The 4th VLAN becomes the heartbeat link between the two firewalls.
The default gateway for the outside interface is the HSRP address. The firewalls are configured with two contexts with identical policies. Context 1 will have the primary FW on the left side of the diagram, and context 2 will have the right FW as the primary.
Users on the left side will set their default gw to contect1, and users on the right will use context 2. This will keep traffic on the local FW and also provide redundancy if the local FW fails.
Each context has a unique public address (and NAT configuration) so that inbound traffic always goes to the correct FW.
The downside of this is that your DMZ devices will have two public addresses if they are located on both sides of the network. You can either: 1. Decide that the DMZ devices will always use one context regardless of their physical location 2. Use a global load balancer to direct traffic to one or the other contexts. That of course requires additional hardware and configuration.
As said above switchport set the port to be layer 2, you assign a vlan to it and then need an SVI to configure L3 for ip connnectivity. If you do no switchport the port is layer 3 and you place an IP address directly on the port. I am guessing you want a static default route between the switch and the firewall. Dont forget you need routes in the firewall pointing back to the subnets you have configured in the switch
Related Topic
- Firewall – Need help to identify UTM/Firewall for SME network
- Difference between cisco asa cluster and active/active failover
- Routing – Route traffic from ASA to other firewall default gateway
- Vpn – Cisco ASA – Sophos UTM Site to Site VPN No response from other network
- Firewall – Can Cisco ASA be a firewall for another public IP
- Firewall – The use of DMZ and single firewall design
- IKEv2 tunnel between ASA and Mikrotik
Best Answer
An ASA is a layer 3 and layer 4 firewall. UTM stands for Unified Threat Management, meaning it does the basic layer 3 and layer 4 firewalling but also has the capacity (much larger storage, more RAM, and faster CPU(s)) and capability (with licensing, usually) to go beyond, and filter up to layer 7 (in some cases). UTM appliances are usually for when you want a firewall but also the ability to filter spam, geo-filter (because normal firewalls can't usually handle the number of ACL entries required to do true geo-filtering), web filtering (blocking sites by category), etc. You can hack things together to kinda do some of these on a traditional ASA but it would only semi-work. Usually if you have an ASA and want to do web filtering, for example, you'd have to either have an in-line proxy to filter before sending to the firewall, or have a transparent proxy (using WCCP or such) to send web traffic from the ASA to something like a Websense appliance or similar, have it respond accordingly, and then either let the user hit the website or show a blocked/denied page.
There's more to it but that's a basic breakdown.