Internet Edge Firewall Design

Hello Experts,

I am designing a internet edge firewall network.
Currently the customer has two Core 6500s connected with each other through Fiber Link and these switches are located in two seperate rooms which are 300 m away from each other.
The customer also have two internet connections from different providers, ISP1 is Room# 1 and ISP2 in Room# 2. There is no BGP running.

The customer is desiring to have high availability design where if primary firewall goes down then standby should take over. The same applies to internet connections.
These internet connections are mainly providing access to web servers from outside, S2S  and SSL Remote Access VPN
The web servers should be located in DMZ.

My concern is - How do I physically connect each device to provide redundancy ?
LVL 4
cciedreamerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskySD-WAN SimplifiedCommented:
Velocloud can do an active/active cluster, one in each room with one internet to each, however this setup requires bgp.
0
cciedreamerAuthor Commented:
Thanks Aaron

The customer is not interested into BGP, I would appreciate if you can give other suggestion.
0
Benjamin Van DitmarsSr Network EngineerCommented:
With site to site vpn is probably won’t be an issue in most firewall's you can program 2 ip address a primary and a backup.

But with the public sites, it would mean you have to set the dns records by hand to the backup ip address.

Why does the customer doesn't want to use BGP, because this is made to solve your problem?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Aaron TomoskySD-WAN SimplifiedCommented:
There are HA active/passive setups for velocloud and pretty much all other firewalls, but they are going to require an HA Ethernet cable between the two, so your 300m distance makes that difficult.

You could put both firewalls in closet a, but run one wan over to closet b?
0
Benjamin Van DitmarsSr Network EngineerCommented:
multiple link on a single fibre pair is not a big issue, there are alot of fibre multiplexers in the martket. 16/24/48 10gb over one pair.
0
ArneLoviusCommented:
Cisco and Palo Alto would probably be my choice, they both have HA solutions, the HA connection is just an Ethernet connection so can go over the existing switch-switch interlink, but needs to be on its own VLAN.

As well as the "floating" addresses that move according to HA rules, for most HA solutions, each firewall will also need a "management" address on each connected network.

You will also need to feed both ISP connections to both firewalls, again this could go over the existing switch-switch link, again on their own VLAN, but I would suggest that this traffic went over a dedicated fibre.

To have failover for websites between two ISPs, active DNS will be required that checks the availability of the host on address A and changes it to adress B if A is not available.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
The problem you've got is that it will only ever be a resilient outbound solution.  If that's all you want, it's simple enough to cluster a pair of firewalls, connect the internet circuits to a L2 switch and plug each firewall in.  On the inside of the firewalls, use a FHRP if required to use as the default gateway at the 6500s.  However, that's not what you need.

For inbound service redundancy, BGP is really the only way to go.
1
cciedreamerAuthor Commented:
Thank you Sir.

I also concerned now how do I isolate the devices ( firewall, router and l2 switch) physically since server rooms are away from each other.
0
cciedreamerAuthor Commented:
hi
Any further suggestions, please
0
ArneLoviusCommented:
You seem to be asking how to physically isolate devices that are already in different rooms...
0
cciedreamerAuthor Commented:
Yes Sir, especially related with DMZ and Outside interfaces of ASA firewall
0
ITguy565Commented:
Well on the Physical level, I would make sure I had locked doors with Access control mechanisms in place that way I don't have to worry about someone walking into my closet and plugging in.
There are multiple other ave's you can take as well, depends what level of security you are looking for.
0
cciedreamerAuthor Commented:
I didn't meant physical physical security :)
I am referring from Layer 2 and Layer 3 design perspective
0
ITguy565Commented:
@cciedreamer,

Just checking :P I don't take anything for granted these days LOL
0
ITguy565Commented:
For the DMZ, I would DENY all Traffic to My LAN and only allow the connections from the servers on specific ports that I needed for day to day operations such as web services or mission critical applications.

For the outside interfaces of the ASA, I would Follow the same suggestion above. DENY all selectively allow. Then create Access Groups based around those needs.
0
ITguy565Commented:
For Redundant connections, I agree with the statements above using BGP as the routing protocol and then just setup HA on the two routers which you have brought in the Internet connections though in each room.

Here is a good example of how cisco recommends you do this.

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html

and

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/23675-27.html
0
cciedreamerAuthor Commented:
Thanks
Is it advisable to terminate Inside and DMZ on the same switch ?
Since my 2 ASAs are in separate room, how do i extend the VLANs for outside, dmz and inside interface,
0
ITguy565Commented:
@Craig and @AARon are right however, BGP is the best option here.
1
ITguy565Commented:
@CCie,

I can only assume that you have a Fiber or Ethernet connection between the two switches in the two rooms. I would advise that you run a 1Gb connection or better and utilize LACP on your switches if possible. Especially if you are going to be running redundant from two separate routers in two separate rooms.

In a perfect world, I would use a separate switch for my DMZ, but it isn't something that is a must. You "can" utilize the DMZ and your LAN on the same switch AS LONG as they are on separate VLANS and they are not able to talk to one another. You can always setup a static route for individual traffic and ports.
0
ArneLoviusCommented:
The highest level of separation while using Ethernet is to use dedicated links and switches, if this is not possible, then VLANs trunks will have to suffice...
0
cciedreamerAuthor Commented:
Thank you experts for valuable suggestions
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.