in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 09-21-2016 11:40 AM by Rinko. 2 replies.
Page 1 of 1 (3 items)
Sort Posts: Previous Next
  • 09-20-2016 7:10 AM

    Dual Firewall setup

    Hi Forum.

    I want to split up VPN and Perimeter into two firewalls. I ended up with two diffrent designs. Do you have any Pros and/or Cons on these designs? With Design2 I was thinking about to split encrypted and unencrypted traffic into two interfaces. Will that work out like this design?

     

    My VPN fw should handle Anyconnect VPN and L2L tunnels.

     

    Thank you.

     

    • Post Points: 20
  • 09-21-2016 7:40 AM In reply to

    Re: Dual Firewall setup

    I would use the second design, and in order to make routing less complex, i would use a single DMZ link between VPN ASA and Perimeter ASA. As oppsed to the first design, with the second one, you can better control decrypted traffic with an inbound/global ACL on the Perimeter ASA.

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 20
  • 09-21-2016 11:40 AM In reply to

    Re: Dual Firewall setup

    If I use the second design with only 1 DMZ interface between the firewalls. How should my routing/nat work in regards of Anyconnect VPN and L2L tunnels ? Should I basicly make static routing from Perimeter ASA to VPN ASA for the specific subnet. I guess I also need same-security-traffic permit {inter-interface | intra-interface}

    • Post Points: 5
Page 1 of 1 (3 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved