Cisco Cisco IPS 4360 Sensor 백서
9
Firewall
August 2012 Series
9
The larger firewall design uses dual Internet connections for resilient access
to the Internet. A separate pair of appliances provides remote-access VPN,
allowing additional scalability and operational flexibility.
to the Internet. A separate pair of appliances provides remote-access VPN,
allowing additional scalability and operational flexibility.
Figure 5 - Dual ISP topology
3003
Internet
ISP A
ISP B
Routers
Internet
ISP A
ISP B
Routers
Outside
Switches
DMZ
Switches
Internet
Servers
Distribution
Cisco ASA 5525-X
with IPS
Internal
Network
A good portion of the configuration described in this section is common to
both the single and dual ISP designs. If a section describes configuration
that is only used in one of the designs, this is mentioned in that section.
both the single and dual ISP designs. If a section describes configuration
that is only used in one of the designs, this is mentioned in that section.
The configurations are for any of the one-rack-unit Cisco ASA security appliances.
Hardware applied in this design is selected based on the following perfor-
mance values. It is important to note that Internet connection speed is not
the only data point when considering Cisco ASA device performance. To
choose the correct platform, you must consider traffic that traverses the
firewall from the internal network to the DMZ as well as inter-DMZ traffic.
mance values. It is important to note that Internet connection speed is not
the only data point when considering Cisco ASA device performance. To
choose the correct platform, you must consider traffic that traverses the
firewall from the internal network to the DMZ as well as inter-DMZ traffic.
Table 2 - Cisco ASA family device performance
Cisco ASA family product
Real-World Firewall Throughput (EMIX)
Cisco ASA 5512-X
500 Mbps
Cisco ASA 5515-X
600 Mbps
Cisco ASA 5525-X
1 Gbps
Cisco ASA 5545-X
1.5 Gbps
Deployment Details
Configuring the Firewall
Process
The Cisco ASA can be configured from the command line or from the
graphical user interface, Cisco Adaptive Security Device Manager (ASDM).
Cisco ASDM is the primary method of configuration illustrated in this
deployment guide. This process uses the command line to initially configure
the appliance and then uses Cisco ASDM to manage the configuration.
graphical user interface, Cisco Adaptive Security Device Manager (ASDM).
Cisco ASDM is the primary method of configuration illustrated in this
deployment guide. This process uses the command line to initially configure
the appliance and then uses Cisco ASDM to manage the configuration.
Only the primary Cisco ASA in the high availability pair needs to be
configured. The Configuring Firewall High Availability process will set up
high availability and synchronize the configuration from the primary to the
secondary device.
configured. The Configuring Firewall High Availability process will set up
high availability and synchronize the configuration from the primary to the
secondary device.
Procedure 1
Configure the LAN distribution switch
The LAN distribution switch is the path to the organization’s internal network.
A unique VLAN supports the Internet edge devices, and the routing protocol
peers with the appliances across this network. To support future use, the
connections from the ASAs to the inside LAN distribution switches are
configured as trunks.
A unique VLAN supports the Internet edge devices, and the routing protocol
peers with the appliances across this network. To support future use, the
connections from the ASAs to the inside LAN distribution switches are
configured as trunks.