Cisco ASA Firewalls

rweaver313
rweaver313 used Ask the Experts™
on
I am new to an organinzation and trying to figure out why the network is configure the way it is and also troubleshoot some problems that I am experiencing.  My organization has the following network setup:

> Campus A (Main Campus) 45MB connection to Internet
> Campus B 45MB point to point connection to Campus A
> Campus C 10MB point to point connection to Campus A
> Each campus has Cisco ASA 5510 firewall provided and configured by the organization
> Each campus has a layer 2 switch provided and configured by the ISP for the point to point connections
> The Cisco firewalls at campus B & C have two firewall access rules configured, 1 incoming rule and 1 outgoing rule, both firewalls are doing EIGRP routing with 1 static route to the inside interface on the Cisco ASA firewall at campus A. Campus B & C have a Cisco 4500 layer 3 switch as the next hop after the Cisco ASA firewall.

Problems:
The network seems that the network was designed as if each campus was independent of each other and that there would be no communication with the other campuses. For example, we are only able to telnet or ping devices on the specified campus. there are vlans at each campus that are unable spand the network to the other campuses. There are domain controllers, DNS, DHCP servers at each campus because of the non-communication between campuses.
We have network monitoring software that uses SNMP but we can't see all devices across every campus. In order to see all devices, we have to install the monitioring software up on each campus. We would like to be able to monitor all devices from one location.

Questions:
Since campus A is the gateway to the Internet for Campuses B & C, do we need to have the Cisco ASA firewall in place at campus B & C? Is there any negative impact on the network if the Cisco ASA firewalls are removed from Campus B & C? What are the benefits? How can the network be configured to have all devices at all campuses communicating with each other? With and without the Cisco ASA firewalls. How do we have to configure the network to utilize SNMP and see all devices at each campus?

Any suggestions are appreciated. Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015

Commented:
Segmenting the network doesn't hurt but you don't say what subnet is assigned to each location.

Also, all you have to do is create peer-to-peer VPNs and that should take care of the access problem.
Having the firewalls at each site allows you to control inter-site traffic, the firewall could be in router (NAT) mode or in bridge (transparent) mode depending on the specific requirements.

You could just use the 4500 switches with ACLS for basic control, but the ASA will allow more granular control if required. It would also allow you to use a VPN connection between the sites to secure specific traffic if required.

I do not understand why you have a 4500 outside the ASA as you don't need to run a routing protocol if you just have a single point to point link out...

Direct answers to your questions

No
You lose the ability to firewall at a site level
Simpler config
Just remove the ASAs, if they are running NAT you would need to also reconfigure the 4500s
Configure the ASAs as per one of the below
1 use NAT exemptions
2 use VPN and NAT exemptions
3 use transparent mode

The best solution would depend on exactly what was required for inter-site traffic, your requirements and the ability of the team/person that manages the network and/or firewalls.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial