ASA question and placement in a network?
Robbo777
Member Posts: 331 ■■■□□□□□□□
Hi, i have a question about setting up an asa with a lab network on packet tracer. I was wondering where would be the best place to put it? Should i put it after the router and connected to a cloud or put it before the router and the router is the last point connected to the cloud?
Does this also mean that the asa needs basically the same config such as the full routing table from the router or does the asa just analyse traffic passing through it and could i just not allow any unknown traffic to pass through to the "inside" interface?
Thanks
Does this also mean that the asa needs basically the same config such as the full routing table from the router or does the asa just analyse traffic passing through it and could i just not allow any unknown traffic to pass through to the "inside" interface?
Thanks
Comments
Network security is the main reason, am guessing then that means put it ahead of the router and connect the asa directly to the cloud?
So you might see you your outside interface of your ASA connected to the internet, which is generally a router. The inside interface can be connected to a switch.
The ASA will have a default route with the next hop of your router's IP, as well as NAT and all of your hosts on the inside would have their default gateway set to the inside interface of the ASA.
I hope that makes sense.
I see, so is there much point in having a router in your example? One question as well, why would the asa be doing NAT when it still needs to pass through to the router? Surly it would make more sense for the router to do NAT?
Thanks
If you manage the router to the dmarc with the ISP handoff then you place it typically after the router with, like mentioned above, the default gateway being the router.
If you don't manage the router, you still place it after the router.
However while the above is typical you can place a firewall on a secondary ISP connection for VPN access (or a firewall-to-firewall tunnel) or web services like payment servers and such that need security on top of flow control. With that being said firewall have limitations as they don't suppose advanced routing protocols.
Me personally, in my home-lab I now have 1921 with a Cable WIC and I let me ISP manage the WIC and I control the router, but I still connect my Sonicwall into the 1921 and using the 1921 as the default gateway. But it allows me now to use more advanced routing protocols to my friends that also have home-lab when we do WAN connections to our home-networks for home-based LAN parties.
It all depends, as mentioned above, on network design and needs.
Usually, I have a router on the edge for routing and configure it to do simple IP/Port acl in and out. The router also does my natting of the ASA interface or any DMZ requirements I might have.
Once it passes the Router it goes to the ASA for further inspection, which could be considered 'defense in depth.'
There are several other scenarios and more complicated solutions but to your one router and one ASA network. I think this works best.
Its a security issue. As stated earlier it really depends on the design. When working with a firewall the security polices can protect the NAT entries such as static nat which maps an internal ip address to the external ip address. The router is not good for using as a firewall to many holes. If you configure NAT on the edge router and not on the firewall then that means an outside attacker can attack your router and get access to the internal network. Thats why as per Cisco it marks an internet edge router as the "untrusted zone".
@Robo
I know everyone keeps replying with, "it depends on the design" but its true. There isn't one right way to do something it really depends on the parameters of the network and the available equipment.
Sometimes you have to be a bit creative to get a working solution. I know one time for a teleworker that needed a cisco ip phone at there house we set up a 1841 with a site to site vpn to HQ that had nat enabled, nat exempt rules and acl's for the tunnel and the personal network. He had a consumer based router/wifi that was placed behind the 1841 and it served as the firewall and nat as well for his personal network.
Netgear router>Router>Internet
When I first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. I will do my best to try to explain it with a high level view hopefully I do not confuse you any further.
As mentioned earlier placement of the ASA really depends on the network design and what you are trying to achieve. Router and ASA placement depends on certain variables. There are different ways to do things and you can take a look at design guides to get a more in depth look but I'm going to give a few examples just to give you a general idea.
If the Router is connected to the ISP via serial link or responsible for routing to external networks and its connecting to these networks with BGP and/or MPLS then the router will connect as the edge device which connects to the "cloud(internet)". In this scenario the router will be responsible for the routing and the ASA will be behind the router ASA>Router>Internet. The ASA's function would be for NAT and as a firewall to protect the internal network from outside attacks.
In a single connection to an ISP that just has a default route to the ISP and no other routing requirements then the ASA can be placed at the edge which connects to the "cloud(internet)". In this layout the The ASA's function can be for VPNs, NAT and as a firewall to protect the internal network. In this layout there is no need for a router unless if its used for other services for internal use besides routing (voip, dhcp, etc). LAN>ASA>internet.
In a scenario that you are running IGP's (interior gateway procotols ex: EIGRP,RIP,OSPF) within your network which is handled by a layer 3 device (layer 3 switch or router). Depending on the network it can be just a layer 3 switch(s) that has a static route on that device which is pointing traffic to the ASA to get to the internet. (LAN>ASA>ISP)
Hope this clarifies it a bit.
Now there's a practical application :]
So which device is allowing the "WAN party" capabilities?
Is it the 1941 Router, or is it the SonicWall?
For instance, if i wanted to have a Wan-Party with you; which would i need first?
For my design i was going with 3 sites across a frame relay network all running multi area ospf and using DHCP for internal addresses and dynamic NAT. I just have a few questions regarding as i said the placement of the router and the asa:
1. What's the best placement in your opinion for this design then?
2. Does the asa do the natting or the router
3. Does the router route the traffic using ospf etc... (bit confusing in what other tasks the asa can actually be used for)
4. Does the asa be the default gateway and then a static route to the router on the edge (if the router is on the edge for this example?)
5. If not does the asa have any actual address?
Bit confusing the actual set up of an asa, I've always just done it with a router. I have pretty much every practice down now confidently except for asa's.
1. If it's a serial frame relay hand off you'll have to use a router first. ASA's do not support these interface types.
2. Usually you'd use the ASA as you may have policy NAT needs etc.
3. That is one that completely depends.
4. That'd be an easy way of doing it. There are some constraints with having the ASA as the DG though.
5. Usually yes you'd address the ASA, but there are transparent mode options.
Really you should be designing a network to support your traffic. Pretty hard to just say what should be where without knowing the end goal. Probably the biggest issues I run into with networks. People have a network design already made up before even knowing traffic patterns etc. That's setting yourself up for failure!
we both have Sonicwalls, and we use a Sonicwall to Sonicwall VPN Tunnel for WAN gaming, my friend also has a VMware cluster and we use the tunnel for SRM between our clusters. I really got the 1921 because I wanted control of the ISP modem.
we basically talked it over and made a network scheme for our WAN connections that essentially make up a OSPF area 0 core, and then the exit interfaces into our home-networks are Area 10 and 20 respectfully to a L3 collapsed core. We just use the Sonicwall to Sonicwall VPN tunnel as like a P2P tunnel in essence, his router is a Cisco 2821.
Please, expound upon that. I have no experience with Palo Alto FWs.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
What are the main functions i can use the asa for then?
NAT
Policy maps
Inside and Outside zones
I know there are more features but with me not knowing them, are there any more i should be implementing into the asa that are paramount?
I have one more question about NAT as well, if i'm natting the private addresses at the asa, then how is the router going to know where to send the reply traffic to? I just cant quite wrap my head around WHY we need to NAT with the asa (why not just NAT with the router?) and how the router then understands what to do with it and then where to send the reply traffic.
Thanks again
If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.
I think it'd be best if you learn how to work on the ASA and the capabilities before trying to blindly add it to your topology without knowing why you "feel" you need it there.
Learn how it works in basic topologies once you have a hang on how it should would you can change variables and add it to a complex topology that deals with other components and take it from there.
Wow that's incredible. Thanks for that. Yea the thing with the commands being like IOS but not quite would drive me crazy to have an entirely different syntax to try to remember stuff.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
SOHO Example (Using ASA 5505 and Wireless AP)
MPLS Example (Using Cisco ASA and CE Router)
Note that Switch(es) might not be a single switch, but a hierarchical Layer 2/Layer 3 topology using multiple Core/Distribution and Access switches. I recently got a new laptop, so I have not had a chance to load my custom network symbols (Cisco ASA, Wireless AP, Layer 3 Switch, Various Cisco Devices, etc...) back into Visio and had to use the ones provided by Microsoft.
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]
PAN is nice, but it's also 4X more than a ASA with FirePower setup.
So throw in that with AMP for network and end points it's hard to justify that price difference.
The ASA OS has supported BGP since about 2014, though you would probably not want to get a full internet routing table. I ran eBGP (the ASA was acting as an ISP and was the way out to the internet) between my ASA and and Lab equipment when I did CCNP: ROUTE. The ASA sent all of its static routes (The SSL VPN would install a static host route for each VPN session terminated on the ASA) and a default route to my lab.
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]