move from onsite firewall to hosted mpls?

were using managed firewalls at present, and to be frank, had major issues routing between the site for the 2x vlans that we have.
im thinking of ditching this method, spending more and moving the firewalls in the cloud as a hosted service.

can someone confirm the very basics of this and what the impact is/could be?  we use voip and have L3 switches in each site as the local gateway.

thanks
LVL 1
CHI-LTDAsked:
Who is Participating?
 
asavenerConnect With a Mentor Commented:
The ASA should be an edge device, not a core device.  No inside-to-inside traffic should hit the ASA at all.

Your Layer3 switch should do all of the heavy-duty routing.
0
 
asavenerConnect With a Mentor Commented:
Are you using the firewalls to protect the sites from each other?

Alternately, are the firewalls involved in routing the traffic?  If the firewall is set up as your default gateway, then it can cause problems due to asymmetric routing.  Basically, the firewall is a security device first, and a router second.  If it doesn't see the full three-way TCP handshake, it will drop traffic.
0
 
CHI-LTDAuthor Commented:
no the firewalls are protecting the LANs from unwanted external traffic.

the firewalls are set on the l3 switch as the default gateway.  hosts internally are gatewaying through the l3 switch.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
asavenerCommented:
Dunno why moving the firewalls would affect routed traffic behind them, then.
0
 
CHI-LTDAuthor Commented:
well there must be a way of simplifying the routing of traffic, if my supplier simply is inadequate.
were using cisco asa 5505s and id assume this device is capable of routing traffic from-to multiple networks and vlans?
0
 
CHI-LTDAuthor Commented:
even across a vpn?
0
 
asavenerCommented:
Since VPNs connect at the edge, then yes VPN traffic will go through the ASA.  It's not exactly routing, though.  It's the crypto engine on the ASA that handles the traffic.

You might try adding this command:  sysopt connection tcpmss 1300
0
 
CHI-LTDAuthor Commented:
thanks, not sure what that command does.
in any case they seem to have got the routing working ok between the 2 sites, but now not routing to the www...
0
 
asavenerCommented:
That command sets all TCP sessions to use a maximum segment size of 1300 (basically similar to reducing the MTU size, but only for TCP packets).  It forces the packet size down so that the encapsulation for the VPN won't cause packets to be fragmented.
0
 
CHI-LTDAuthor Commented:
here is what the problem was:

 VLAN20 to internet: missing VLAN20 on nat rule , it only had local lan to internet.

VLAN20 to VLAN20 - had gone down all rules with 192.168.2.0 and added
192.168.200.0

VLAN20 was missing off site a end of the VPN.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.