ASA question and placement in a network?

Robbo777

Hi, i have a question about setting up an asa with a lab network on packet tracer. I was wondering where would be the best place to put it? Should i put it after the router and connected to a cloud or put it before the router and the router is the last point connected to the cloud?
Does this also mean that the asa needs basically the same config such as the full routing table from the router or does the asa just analyse traffic passing through it and could i just not allow any unknown traffic to pass through to the "inside" interface?

Thanks

networker050184

Best place depends on what the goals of the network are.

Robbo777

networker050184 wrote: »

Best place depends on what the goals of the network are.

Network security is the main reason, am guessing then that means put it ahead of the router and connect the asa directly to the cloud?

networker050184

Again, it all depends. What is the router doing? If it's behind the ASA is it even needed? What exactly is the ASA securing and how?

sucanushie

Generally your ASA is going to secure you edge. At least at the CCNA level.

So you might see you your outside interface of your ASA connected to the internet, which is generally a router. The inside interface can be connected to a switch.

The ASA will have a default route with the next hop of your router's IP, as well as NAT and all of your hosts on the inside would have their default gateway set to the inside interface of the ASA.

I hope that makes sense.

Robbo777

sucanushie wrote: »

Generally your ASA is going to secure you edge. At least at the CCNA level.

So you might see you your outside interface of your ASA connected to the internet, which is generally a router. The inside interface can be connected to a switch.

The ASA will have a default route with the next hop of your router's IP, as well as NAT and all of your hosts on the inside would have their default gateway set to the inside interface of the ASA.

I hope that makes sense.

I see, so is there much point in having a router in your example? One question as well, why would the asa be doing NAT when it still needs to pass through to the router? Surly it would make more sense for the router to do NAT?

Thanks

Dieg0M

It really depends on what the business and technical requirements are. Generally, you do not want to do dynamic routing on a firewall so if BGP is required to the provider, you will have a router. Most ASA's do not even support BGP or IGP or do but have a hard time handling full internet routing tables. Also, you might want to consider ZBF if you just want to keep a router in the picture but in my opinion ASA's are a better option if clustering is required.

Deathmage

ASA placement also depends upon if you manage the router or if the ISP manages the router.

If you manage the router to the dmarc with the ISP handoff then you place it typically after the router with, like mentioned above, the default gateway being the router.

If you don't manage the router, you still place it after the router.

However while the above is typical you can place a firewall on a secondary ISP connection for VPN access (or a firewall-to-firewall tunnel) or web services like payment servers and such that need security on top of flow control. With that being said firewall have limitations as they don't suppose advanced routing protocols.

Me personally, in my home-lab I now have 1921 with a Cable WIC and I let me ISP manage the WIC and I control the router, but I still connect my Sonicwall into the 1921 and using the 1921 as the default gateway. But it allows me now to use more advanced routing protocols to my friends that also have home-lab when we do WAN connections to our home-networks for home-based LAN parties.

It all depends, as mentioned above, on network design and needs.

Mitechniq

Let the router route and the ASA do firewall stuff.

Usually, I have a router on the edge for routing and configure it to do simple IP/Port acl in and out. The router also does my natting of the ASA interface or any DMZ requirements I might have.

Once it passes the Router it goes to the ASA for further inspection, which could be considered 'defense in depth.'

There are several other scenarios and more complicated solutions but to your one router and one ASA network. I think this works best.

Legacy User

Robbo777 wrote: »

One question as well, why would the asa be doing NAT when it still needs to pass through to the router? Surly it would make more sense for the router to do NAT?

Thanks

Its a security issue. As stated earlier it really depends on the design. When working with a firewall the security polices can protect the NAT entries such as static nat which maps an internal ip address to the external ip address. The router is not good for using as a firewall to many holes. If you configure NAT on the edge router and not on the firewall then that means an outside attacker can attack your router and get access to the internal network. Thats why as per Cisco it marks an internet edge router as the "untrusted zone".

@Robo
I know everyone keeps replying with, "it depends on the design" but its true. There isn't one right way to do something it really depends on the parameters of the network and the available equipment.

Sometimes you have to be a bit creative to get a working solution. I know one time for a teleworker that needed a cisco ip phone at there house we set up a 1841 with a site to site vpn to HQ that had nat enabled, nat exempt rules and acl's for the tunnel and the personal network. He had a consumer based router/wifi that was placed behind the 1841 and it served as the firewall and nat as well for his personal network.
Netgear router>Router>Internet

Legacy User

@Robo

When I first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. I will do my best to try to explain it with a high level view hopefully I do not confuse you any further.

As mentioned earlier placement of the ASA really depends on the network design and what you are trying to achieve. Router and ASA placement depends on certain variables. There are different ways to do things and you can take a look at design guides to get a more in depth look but I'm going to give a few examples just to give you a general idea.

If the Router is connected to the ISP via serial link or responsible for routing to external networks and its connecting to these networks with BGP and/or MPLS then the router will connect as the edge device which connects to the "cloud(internet)". In this scenario the router will be responsible for the routing and the ASA will be behind the router ASA>Router>Internet. The ASA's function would be for NAT and as a firewall to protect the internal network from outside attacks.

In a single connection to an ISP that just has a default route to the ISP and no other routing requirements then the ASA can be placed at the edge which connects to the "cloud(internet)". In this layout the The ASA's function can be for VPNs, NAT and as a firewall to protect the internal network. In this layout there is no need for a router unless if its used for other services for internal use besides routing (voip, dhcp, etc). LAN>ASA>internet.

In a scenario that you are running IGP's (interior gateway procotols ex: EIGRP,RIP,OSPF) within your network which is handled by a layer 3 device (layer 3 switch or router). Depending on the network it can be just a layer 3 switch(s) that has a static route on that device which is pointing traffic to the ASA to get to the internet. (LAN>ASA>ISP)

Hope this clarifies it a bit.

volfkhat

Deathmage wrote: »

Me personally, in my home-lab I now have 1921 with a Cable WIC and I let me ISP manage the WIC and I control the router, but I still connect my Sonicwall into the 1921 and using the 1921 as the default gateway. But it allows me now to use more advanced routing protocols to my friends that also have home-lab when we do WAN connections to our home-networks for home-based LAN parties.

Now there's a practical application :]

So which device is allowing the "WAN party" capabilities?
Is it the 1941 Router, or is it the SonicWall?

For instance, if i wanted to have a Wan-Party with you; which would i need first?

Legacy User

What are you guys running DMVPN's to connect to each other?

Robbo777

dmarcisco wrote: »

@Robo

When first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. I will do my best to try to explain it with a high level view hopefully I do not confuse you any further.

As mentioned earlier placement of the ASA really depends on the network design and what you are trying to achieve. Router and ASA placement depends on certain variables. There are different ways to do things and you can take a look at design guides to get a more in depth look but I'm going to give a few examples just to give you a general idea.

If the Router is responsible for routing to external networks and its connecting to these networks with BGP and/or MPLS then the router will connect as the edge device which connects to the "cloud(internet)". In this scenario the router will be responsible for the routing and the ASA will be behind the router ASA>Router>Internet. The ASA's function would be for NAT and as a firewall to protect the internal network from outside attacks.

In a single connection to an ISP that just has a default route to the ISP and no other routing requirements then the ASA can be placed at the edge which connects to the "cloud(internet)". In this layout the The ASA's function can be for VPNs, NAT and as a firewall to protect the internal network. In this layout there is no need for a router unless if its used for other services for internal use besides routing (voip, dhcp, etc). LAN>ASA>internet.

In a scenario that you are running IGP's (interior gateway procotols ex: EIGRP,RIP,OSPF) within your network which is handled by a layer 3 device (layer 3 switch or router). Depending on the network it can be just a layer 3 switch(s) that has a static route on that device which is pointing traffic to the ASA to get to the internet. (LAN>ASA>ISP)

Hope this clarifies it a bit.

For my design i was going with 3 sites across a frame relay network all running multi area ospf and using DHCP for internal addresses and dynamic NAT. I just have a few questions regarding as i said the placement of the router and the asa:

1. What's the best placement in your opinion for this design then?
2. Does the asa do the natting or the router
3. Does the router route the traffic using ospf etc... (bit confusing in what other tasks the asa can actually be used for)
4. Does the asa be the default gateway and then a static route to the router on the edge (if the router is on the edge for this example?)
5. If not does the asa have any actual address?

Bit confusing the actual set up of an asa, I've always just done it with a router. I have pretty much every practice down now confidently except for asa's.

Legacy User

I know this all for a lab so how do you feel it should go? Take a step back and think about your design and what is the best way or possibilities to achieve your goal. This is your network design and you are the "network engineer" using all the tools you know how would you design and implement that solution? Before you think about adding a firewall to your design you need to understand features and limitations and what role it will play on your network before adding it to your topology. For multi point private wan connections you generally won't need nat unless if you using it for Internet access as well. The Asa doesn't deal with routing protocols that well and has limitations.

networker050184

The reason we are all saying it depends is because it does, but I'll try to give some high level stuff to your questions.

1. If it's a serial frame relay hand off you'll have to use a router first. ASA's do not support these interface types.
2. Usually you'd use the ASA as you may have policy NAT needs etc.
3. That is one that completely depends.
4. That'd be an easy way of doing it. There are some constraints with having the ASA as the DG though.
5. Usually yes you'd address the ASA, but there are transparent mode options.

Really you should be designing a network to support your traffic. Pretty hard to just say what should be where without knowing the end goal. Probably the biggest issues I run into with networks. People have a network design already made up before even knowing traffic patterns etc. That's setting yourself up for failure!

Deathmage

volfkhat wrote: »

Now there's a practical application :]

So which device is allowing the "WAN party" capabilities?
Is it the 1941 Router, or is it the SonicWall?

For instance, if i wanted to have a Wan-Party with you; which would i need first?

we both have Sonicwalls, and we use a Sonicwall to Sonicwall VPN Tunnel for WAN gaming, my friend also has a VMware cluster and we use the tunnel for SRM between our clusters. I really got the 1921 because I wanted control of the ISP modem. .... surprisingly my download speeds are actually faster now

we basically talked it over and made a network scheme for our WAN connections that essentially make up a OSPF area 0 core, and then the exit interfaces into our home-networks are Area 10 and 20 respectfully to a L3 collapsed core. We just use the Sonicwall to Sonicwall VPN tunnel as like a P2P tunnel in essence, his router is a Cisco 2821.

Hondabuff

Once you try a Palo Alto Firewall, You will never attempt to manage a network with an ASA ever again.

JoJoCal19

Hondabuff wrote: »

Once you try a Palo Alto Firewall, You will never attempt to manage a network with an ASA ever again.

Please, expound upon that. I have no experience with Palo Alto FWs.

Robbo777

Okay I'm going to go with putting the router first because of its routing capabilities.
What are the main functions i can use the asa for then?
NAT
Policy maps
Inside and Outside zones

I know there are more features but with me not knowing them, are there any more i should be implementing into the asa that are paramount?

I have one more question about NAT as well, if i'm natting the private addresses at the asa, then how is the router going to know where to send the reply traffic to? I just cant quite wrap my head around WHY we need to NAT with the asa (why not just NAT with the router?) and how the router then understands what to do with it and then where to send the reply traffic.

Thanks again

Hondabuff

JoJoCal19 wrote: »

Please, expound upon that. I have no experience with Palo Alto FWs.

If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.

Legacy User

Robbo777 wrote: »

Okay I'm going to go with putting the router first because of its routing capabilities.
What are the main functions i can use the asa for then?
NAT
Policy maps
Inside and Outside zones

I know there are more features but with me not knowing them, are there any more i should be implementing into the asa that are paramount?

I have one more question about NAT as well, if i'm natting the private addresses at the asa, then how is the router going to know where to send the reply traffic to? I just cant quite wrap my head around WHY we need to NAT with the asa (why not just NAT with the router?) and how the router then understands what to do with it and then where to send the reply traffic.

Thanks again

I think it'd be best if you learn how to work on the ASA and the capabilities before trying to blindly add it to your topology without knowing why you "feel" you need it there.

Learn how it works in basic topologies once you have a hang on how it should would you can change variables and add it to a complex topology that deals with other components and take it from there.

JoJoCal19

Hondabuff wrote: »

If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.

Wow that's incredible. Thanks for that. Yea the thing with the commands being like IOS but not quite would drive me crazy to have an entirely different syntax to try to remember stuff.

theodoxa

For a regular Ethernet connection, the ASA can go directly on the edge of your network. For example, I have Cable Internet and have an ASA connected directly behind my ISP's modem (which is in bridged mode). OTOH, if you use a PPP or MPLS Circuit, you will need a router between your ASA and your ISP.

SOHO Example (Using ASA 5505 and Wireless AP)



MPLS Example (Using Cisco ASA and CE Router)



Note that Switch(es) might not be a single switch, but a hierarchical Layer 2/Layer 3 topology using multiple Core/Distribution and Access switches. I recently got a new laptop, so I have not had a chance to load my custom network symbols (Cisco ASA, Wireless AP, Layer 3 Switch, Various Cisco Devices, etc...) back into Visio and had to use the ones provided by Microsoft.

sucanushie

In the next version of FireSight you will be able to manage ASA's from there, which will be a lot better than ASDM.

PAN is nice, but it's also 4X more than a ASA with FirePower setup.

So throw in that with AMP for network and end points it's hard to justify that price difference.

Hondabuff wrote: »

If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.

theodoxa

Dieg0M wrote: »

Most ASA's do not even support BGP or IGP or do but have a hard time handling full internet routing tables.

The ASA OS has supported BGP since about 2014, though you would probably not want to get a full internet routing table. I ran eBGP (the ASA was acting as an ISP and was the way out to the internet) between my ASA and and Lab equipment when I did CCNP: ROUTE. The ASA sent all of its static routes (The SSL VPN would install a static host route for each VPN session terminated on the ASA) and a default route to my lab.