Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

move from onsite firewall to hosted mpls?

Posted on 2015-02-04
10
Medium Priority
?
86 Views
Last Modified: 2015-02-09
were using managed firewalls at present, and to be frank, had major issues routing between the site for the 2x vlans that we have.
im thinking of ditching this method, spending more and moving the firewalls in the cloud as a hosted service.

can someone confirm the very basics of this and what the impact is/could be?  we use voip and have L3 switches in each site as the local gateway.

thanks
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 28

Assisted Solution

by:asavener
asavener earned 1500 total points
ID: 40589344
Are you using the firewalls to protect the sites from each other?

Alternately, are the firewalls involved in routing the traffic?  If the firewall is set up as your default gateway, then it can cause problems due to asymmetric routing.  Basically, the firewall is a security device first, and a router second.  If it doesn't see the full three-way TCP handshake, it will drop traffic.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40590686
no the firewalls are protecting the LANs from unwanted external traffic.

the firewalls are set on the l3 switch as the default gateway.  hosts internally are gatewaying through the l3 switch.
0
 
LVL 28

Expert Comment

by:asavener
ID: 40590985
Dunno why moving the firewalls would affect routed traffic behind them, then.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:CHI-LTD
ID: 40591086
well there must be a way of simplifying the routing of traffic, if my supplier simply is inadequate.
were using cisco asa 5505s and id assume this device is capable of routing traffic from-to multiple networks and vlans?
0
 
LVL 28

Accepted Solution

by:
asavener earned 1500 total points
ID: 40591520
The ASA should be an edge device, not a core device.  No inside-to-inside traffic should hit the ASA at all.

Your Layer3 switch should do all of the heavy-duty routing.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40591560
even across a vpn?
0
 
LVL 28

Expert Comment

by:asavener
ID: 40591587
Since VPNs connect at the edge, then yes VPN traffic will go through the ASA.  It's not exactly routing, though.  It's the crypto engine on the ASA that handles the traffic.

You might try adding this command:  sysopt connection tcpmss 1300
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40593671
thanks, not sure what that command does.
in any case they seem to have got the routing working ok between the 2 sites, but now not routing to the www...
0
 
LVL 28

Expert Comment

by:asavener
ID: 40594710
That command sets all TCP sessions to use a maximum segment size of 1300 (basically similar to reducing the MTU size, but only for TCP packets).  It forces the packet size down so that the encapsulation for the VPN won't cause packets to be fragmented.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40597992
here is what the problem was:

 VLAN20 to internet: missing VLAN20 on nat rule , it only had local lan to internet.

VLAN20 to VLAN20 - had gone down all rules with 192.168.2.0 and added
192.168.200.0

VLAN20 was missing off site a end of the VPN.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question