In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!
Infrastructural Strategy
Hello Experts,
I have a peculiar strategical workout for you brains!
It goes something like this..................
One of my client has two offices in different cities, their server is hosted in a data centre.
They have a leased line connection between the DC to the office on both locations, as such as it provides them two /30 subnets (Thus, forming a point-to-point link between the office & DC).
Office A has an ASA 5505 (Security + licence), Office B has an ASA 5510 (Base licence) and DC has a Cisco 2821Router (ISR).
Our ISP also provides a batch of public IP /29 addresses on both office locations.
office A LAN- 192.168.1.0 /24
office B LAN- 192.168.2.0 /24
DC LAN- 192.168.3.0 /24
Traffic from site A+B must go through the DC in order to see the outside world (Internet) and vice versa. What, I've done so far was to PAT the traffic from LAN A and LAN B to the DC (so both sites can access the server, which they did). However, it seemed to be extremely slow while browsing on the server and whilst, PC's in site A&B can ping the server (in DC), I was unable to ping any hosts on LAN A&B, probably because of PAT setup.
I know my approach was poor, hence I come before the experts. Please suggest a better approach to me in this current topology.
If you guys need a topology map, let me know.
Thanks,
Mail
I have a peculiar strategical workout for you brains!
It goes something like this..................
One of my client has two offices in different cities, their server is hosted in a data centre.
They have a leased line connection between the DC to the office on both locations, as such as it provides them two /30 subnets (Thus, forming a point-to-point link between the office & DC).
Office A has an ASA 5505 (Security + licence), Office B has an ASA 5510 (Base licence) and DC has a Cisco 2821Router (ISR).
Our ISP also provides a batch of public IP /29 addresses on both office locations.
office A LAN- 192.168.1.0 /24
office B LAN- 192.168.2.0 /24
DC LAN- 192.168.3.0 /24
Traffic from site A+B must go through the DC in order to see the outside world (Internet) and vice versa. What, I've done so far was to PAT the traffic from LAN A and LAN B to the DC (so both sites can access the server, which they did). However, it seemed to be extremely slow while browsing on the server and whilst, PC's in site A&B can ping the server (in DC), I was unable to ping any hosts on LAN A&B, probably because of PAT setup.
I know my approach was poor, hence I come before the experts. Please suggest a better approach to me in this current topology.
If you guys need a topology map, let me know.
Thanks,
Asked:
14-
8
5
2 Solutions
I don't think you need to be using PAT at all, you should be able to use your Cisco equipment to create IPSec tunnels to encrypt the traffic over your leased lines.
You can create tunnels between A and DC, B and DC, and if A and B need to talk to each other between me as well.
You can create tunnels between A and DC, B and DC, and if A and B need to talk to each other between me as well.
Since sites A and B are internal to your network (connected via P2P circuits back to your DC) there is no need for Firewalls at the sites. Site A and B should be connecting via a Cisco router back to the internal P2P router at your DC (Data Center). Internet traffic should then be passed up through you DC switch to your Internet Firewall (i.e. Cisco ASA Firewall). Which then can be passed to an Internet based router.
If prefer to use your firewall devices for routing between the sites then you I would recommend not using PAT or NAT for this network architecture. Use the firewall in a strict routing capacity. Note your inter-domain traffic will be inherentantly slower due to the firewalls ACL filtering process and even slower if encryption is involved. You would have strip out all the ACL and have a couple that completely open up all traffic between your sites and the DC. Basically defeating the purpose of having a firewall. With a router you still have the ability to use ACLs if necessary, but your traffic will flow more efficiently; plus it would be easier to manage in this capacity.
If prefer to use your firewall devices for routing between the sites then you I would recommend not using PAT or NAT for this network architecture. Use the firewall in a strict routing capacity. Note your inter-domain traffic will be inherentantly slower due to the firewalls ACL filtering process and even slower if encryption is involved. You would have strip out all the ACL and have a couple that completely open up all traffic between your sites and the DC. Basically defeating the purpose of having a firewall. With a router you still have the ability to use ACLs if necessary, but your traffic will flow more efficiently; plus it would be easier to manage in this capacity.
Routers would be better than firewalls for this purpose, but they should work. Minimal, or no, ACLs(except allow all) will be needed.
You should still set up encryption (IPSec) over your P2P links. This traffic can still be captured.
You should still set up encryption (IPSec) over your P2P links. This traffic can still be captured.
Why would you recommend encryption over a P2P? These circuits are internal dedicated and are not exposed to the Internet. Adding encryption would impede traffic flow. So, unless there's a dire need to encrypt traffic don't add the the over head of IPsec. VPN is only intended for traffic transversing over the Internet. Encryption can effectively reduce the performance of an appliance by as much as 60% depending on the hardware and dedicated ASIC for encrypting and decrypting traffic. If for whatever reason encryption is required then the Cisco ASA will perform better than a Cisco 2800 series router.
http://www.hacom.net/kb/ipsec-performance-cisco-asa-5510-measured-iperf
http://www.hacom.net/kb/ipsec-performance-cisco-asa-5510-measured-iperf
Hi guys,
I couldn't agree more with both of you that routers will be more purpose specific in my situation. However, client is on a very tight budget and can't get him to spend any more.
@awaggoner
@gsmartin
I've tried striping all the ACLs and only left allow 'all incoming IP traffic from outside' and 'outgoing traffic form inside -out' in place. Hence, reducing the functionality of the firewall to make it more of a router.
On the note of agreeing with both of you in ACL reduction (which I've already done) would it be better if I were to configure a dynamic routing protocol on the ASA's ? or using static routes form LAN A, LAN B to LAN DC.
I couldn't agree more with both of you that routers will be more purpose specific in my situation. However, client is on a very tight budget and can't get him to spend any more.
@awaggoner
1.
DC was intended to signify data centre, however domain controller can also be true due to the fact that it sits in data centre.2.
Site-to-site VPN came to my mind immediately when this project was assigned to me, but given that these are P2P lines, I ruled it out as I thought added encryption will negatively effect the performance.@gsmartin
I've tried striping all the ACLs and only left allow 'all incoming IP traffic from outside' and 'outgoing traffic form inside -out' in place. Hence, reducing the functionality of the firewall to make it more of a router.
On the note of agreeing with both of you in ACL reduction (which I've already done) would it be better if I were to configure a dynamic routing protocol on the ASA's ? or using static routes form LAN A, LAN B to LAN DC.
Now allow me to clarify something that I mistakenly mis referenced, the Cisco ASA firewalls will out perform a Cisco router, but are an over kill for this architecture. The performance capabilities will have no benefit over standard P2P lines. Cisco ASA have the processing power that can handle sizable traffic. However, their marketing material over states their actual performance as indicated in the referenced in the ASA iPerf article. It would be best to repurpose them for a more appropriate use.
Typical network design would have a router at each location for internal traffic routing needs with (no encryption).
Typical network design would have a router at each location for internal traffic routing needs with (no encryption).
It's a simple architecture where you can easily get by with static routes, but EIGRP is preferred form a dynamic routing perspective.
Fyi... In my network architectures I only use site-to-site VPNs as a last resort or for temporary purposes. Primarily, because I lean toward centralizing as much of the network resources as possible. To simplify management, troubleshooting, better scalability, and overall hardware costs. Environments with Public MPLS or P2P VPN at each location require multiple costly security devices to manage traffic at each location and adds significant addtiinal costs when scaling the network.
On the ASA itself (let say....Office A) when I provide a default rule such as,
route outside 0.0.0.0 0.0.0.0 1.1.1.2
(where 1.1.1.1 is office A and 1.1.1.2 is DC) it knows how to reach the LAN DC, however for some reason 2821 in DC dosen't seem to know about LAN A.
Even though I've provided the static route on the router, such as
ip route 192.168.1.0 255.255.255.0 1.1.1.2 (I've even tried the interface)
And I don't think that any ACL on the ASA is blocking that traffic (beacause it will allow any IP traffic to pass).
That was the reason I configured PAT in first place, as I was unable to come up with a different strategy.
route outside 0.0.0.0 0.0.0.0 1.1.1.2
(where 1.1.1.1 is office A and 1.1.1.2 is DC) it knows how to reach the LAN DC, however for some reason 2821 in DC dosen't seem to know about LAN A.
Even though I've provided the static route on the router, such as
ip route 192.168.1.0 255.255.255.0 1.1.1.2 (I've even tried the interface)
And I don't think that any ACL on the ASA is blocking that traffic (beacause it will allow any IP traffic to pass).
That was the reason I configured PAT in first place, as I was unable to come up with a different strategy.
So, back to the topic. Your objective should be to turn your firewalls into basic routers with no encryption, no NAT or PAT, and with basic routing either static or dynamic. Dynamic is better if the company plans to expand an add additional sites in the future.
Since you are using an ASA firewall you need to make sure you are allowing all traffic in from the DC to the respective office. Then allow internal office traffic out to the DC. You will need an ACL for each direction (In to Outside and Outside to In) with the appropriate networks.
My first question is why is there public IP addresses on a private P2P circuit?
This is due to the fact that the ISP in place has provided us with this circuit. Also, these offices are in different part of the country.
PS: I've enclosed a sanitised Topology diagram for better understandability.
Untitled.jpg
You will need an ACL for each direction (In to Outside and Outside to In) with the appropriate networks.
I take it this is on the ASA's rather that the router?
Also, wouldn't any any server the same purpose?
Cheers
Here's a Cisco document on configuring IP routing on the ASA. This provides you with a more in-depth understanding on how the ASA functions in this capacity.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html
Correct on the ASA.
Any to Any is only mapping from source to destination. So you will need to it both directions.
Any to Any is only mapping from source to destination. So you will need to it both directions.
Just because it is a dedicated circuit does not mean it is secure. Just do a search for MPLS vulnerabilities.
http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/136523-7407820
http://www.tmplab.org/wiki/images/e/ef/MPLS_Security_Overview.pdf
http://www.blueridgenetworks.com/securitynowblog/retail-mpls-data-networks-at-risk
Point to point connections rely on traffic separation, not security
http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/136523-7407820
http://www.tmplab.org/wiki/images/e/ef/MPLS_Security_Overview.pdf
http://www.blueridgenetworks.com/securitynowblog/retail-mpls-data-networks-at-risk
Point to point connections rely on traffic separation, not security
@awaggoner
I've read all the references that you've posted and they seem quite sensible. I'll go and email the ISP to find out the nature of these p2p links in place, I firmly believe they are MPLS but i could be wrong.
Will let you guys know :)
I've read all the references that you've posted and they seem quite sensible. I'll go and email the ISP to find out the nature of these p2p links in place, I firmly believe they are MPLS but i could be wrong.
Will let you guys know :)
If your circuits are not P2P and are in fact MPLS then you will need to take different approach. One thing I was curious about before is that had your sites going to public IP as your default gateway, which indicates to me it could be an MPLS circuit. If so, then you will definitely need to secure them with your ASAs and create site-to-site VPN tunnels. Confirm the circuits at all sites to ensure we are approaching this correctly.
Agreed! With an MPLS Internet circuit you will need to protect each network using the ASA firewalls and then create your site-to-site VPN tunnels.
For this configuration you do not want to use ANY to ANY rules. Make sure to secure your network traffic based on your needs and traffic patterns. Also, make sure you are NAT'ing your traffic. Generally, you want to block all traffic and then allow only specific service ports and networks to pass through in your ACL configuration. Also, define your static routes based on your traffic patterns.
Sounds good
The only question that remains is, referring to earlier posted topology diagram.
On site A and B, we have a batch of public IPs /29 subnet. On site A I do have a couple of web servers which will require public IPs, now correct me if I'm wrong when I build a IPsec tunnel between site A and DC, only LAN A's traffic will be passed to LAN DC.
How can I pass the traffic from these public IP addresses to the DC??
Is GRE tunnel an answer ? Is it even possible with ASA 5510?
The only question that remains is, referring to earlier posted topology diagram.
On site A and B, we have a batch of public IPs /29 subnet. On site A I do have a couple of web servers which will require public IPs, now correct me if I'm wrong when I build a IPsec tunnel between site A and DC, only LAN A's traffic will be passed to LAN DC.
How can I pass the traffic from these public IP addresses to the DC??
Is GRE tunnel an answer ? Is it even possible with ASA 5510?
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
In this forum, DC usually stands for Domain Controller