NGFWv & ASAv in Public Cloud (AWS & Azure)

Similar documents
NGFWv and ASAv in Public Cloud

Advanced CSR Lab with High Availability and Transit VPC

LTRDCN-2100 Cloud networking solutions with Cisco Cloud Services Router (CSR 1000V) on AWS and Azure

Deploy the Firepower Management Center Virtual On the AWS Cloud

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

NGF0502 AWS Student Slides

SECURING THE MULTICLOUD

EdgeConnect for Amazon Web Services (AWS)

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

Segmentation. Threat Defense. Visibility

Data Center Security. Fuat KILIÇ Consulting Systems

Creating your Virtual Data Centre

Next generation branch with SD-WAN and NFV

Cisco Multicloud Portfolio: Cloud Connect

Tetration Hands-on Lab from Deployment to Operations Support

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

Cloud-Ready WAN For IAAS & SaaS With Cisco s Next- Gen SD-WAN

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

Implementing Cisco Edge Network Security Solutions ( )

Cisco - ASA Lab Camp v9.0

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

Amazon Virtual Private Cloud Deep Dive

Cisco Firepower NGIPS Tuning and Best Practices

Cisco Firepower Thread Defence. Claudiu Boar

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

Silver Peak EC-V and Microsoft Azure Deployment Guide

Intuit Application Centric ACI Deployment Case Study

Threat Centric Network Security

PSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco

Extending Enterprise Security to Multicloud and Public Cloud

Layer 4 to Layer 7 Design

Exam : Implementing Microsoft Azure Infrastructure Solutions

Cloud Security Best Practices

AWS Networking Fundamentals

Security for shared infrastructure in Cisco ONE Enterprise Cloud Suite BRKPCA-2040

Cisco Firepower NGFW. Anticipate, block, and respond to threats

CloudEdge SG6000-VM Installation Guide

Cisco UCS Director and ACI Advanced Deployment Lab

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Extending Enterprise Network into Public Cloud with Cisco CSR1000v

Next-Generation Security Platform on Azure Reference Architecture

SAM 8.0 SP2 Deployment at AWS. Version 1.0

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

25 Best Practice Tips for architecting Amazon VPC

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Introducing AWS Transit Gateway

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Multicloud Networking: An Overview. Shannon McFarland CCIE #5245 Distinguished

PSOACI Tetration Overview. Mike Herbert

CloudCenter for Developers

Deploying Transit VPC for Amazon Web Services

CloudEdge Deployment Guide

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

Service Graph Design with Cisco Application Centric Infrastructure

Cloud-Managed Security for Distributed Networks with Cisco Meraki MX

Pexip Infinity and Amazon Web Services Deployment Guide

Intercloud Fabric. Session ID 18PT. Michael Petersen, CCIE #39836 Systems Engineer, Cisco Danmark

Creating Your Virtual Data Center

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

Deploying the Cisco CSR 1000v on Amazon Web Services

Configuring High Availability

Virtual Private Cloud. User Guide. Issue 03 Date

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

Cloud, SDN and BIGIQ. Philippe Bogaerts Senior Field Systems Engineer

Disclaimer CONFIDENTIAL 2

Amazon AWS-Solutions-Architect-Professional Exam

1V0-642.exam.30q.

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Cisco Security Enterprise License Agreement

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Networking in AWS. Carl Simpson Technical Architect, Zen Internet Limited

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Configuring AWS for Zerto Virtual Replication

Azure Compute. Azure Virtual Machines

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Migrating Applications with CloudCenter

Zero Trust Security with Software-Defined Secure Networks

TRex Realistic Traffic Generator

HySecure Quick Start Guide. HySecure 5.0

Hybrid Clouds: Integrating the Enterprise Data Center and the Public Cloud

25 Best Practice Tips for architecting Amazon VPC. 25 Best Practice Tips for architecting Amazon VPC. Harish Ganesan- CTO- 8KMiles

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer


Resilient WAN and Security for Distributed Networks with Cisco Meraki MX

Building a Big IaaS Cloud. David /

Microsoft Networking Academy

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

Cisco Firewall Basics

New Features and Functionality

Cisco Multicloud Portfolio: Cloud Connect

Aviatrix Virtual Appliance

Data Sheet Gigamon Visibility Platform for AWS

Deploying and Using ArcGIS Enterprise in the Cloud. Bill Major

Transcription:

& in Public Cloud (AWS & Azure) Anubhav Swami, CCIE# 21208 Technical Marketing Engineer

Your Speaker Anubhav Swami answami@cisco.com Technical Marketing Engineer 5 years in Cisco TAC 2 years in ASA BU 2 years in Technical Marketing 14+ years in Networking Youtube Channel: http://cs.co/publiccloudsecurity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, 2017. cs.co/ciscolivebot# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Spark Room Managers Goran Saradzic Manager, Technical Marketing David Abercrombie Sr. Manager, Product Management 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Related Cisco Live Las Vegas 2017 Sessions BRKSEC-3035 Firepower Platform Deep Dive BRKSEC-2050 Firepower NGFW Edge Deployment Scenarios BRKACI-3004 Deep Dive on Cisco Security in ACI (NGFW, ASA and NGIPS) BRKSEC-3032 NGFW Clustering Deep Dive BRKARC-2749 Extending Enterprise Network into Public Cloud with Cisco CSR1000v 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Agenda Introduction to Security in Public Cloud /FTDv & in Azure Demo ( N/S, E/W traffic inspection & Micro segmentation) /FTDv and in AWS Demo ( Stateless Scale-out) Conclusion

Challenges for IT APP Applications On-Premise or cloud? Build/Buy/Rent? Agility Provision Infra @ app development Risk Mitigation Security. Compliance. Sovereignty. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Cloud Terminology For your Reference Azure Resource Group (RG) Virtual Network (VNET) Subnet User Defined Routes (UDR) Load Balancer Availability Set Azure Resource Manager Template (ARM) AWS Virtual Private Cloud (VCP) Route Table and Subnet Elastic Cloud Compute (EC2) Elastic Load balancer (ELB) Elastic IP Availability Zone (AZ) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

& Overview

Native security in Azure and AWS Azure Network Security Group (NSG) and AWS Security Group (SG) Similar to access control list Action (Allow or Deny) traffic Layer 3/Layer 4 rules Control Inbound and Outbound traffic Today security requires critical function like stateful packet inspection, application visibility and control, threat centric protection, URL filtering, advanced malware protection and Virtual Private Network (VPN) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Next Generation Firewall () Features (Public Cloud) Next Generation Firewall 6.2 Routed & Passive modes (AWS), ACL, application inspection and S2S VPN. Comprehensive threat prevention, Layer 7 Application Visibility and Control Security intelligence (C&C, botnets, IP, DNS) threat/risk reports Networking, Firewalling and NAT URL filtering, malware blocking, continuous file analysis, malware network trajectory Cisco AMP public and private cloud with Threat Grid integration Management Tool Firepower Management Center (FMC) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Firepower Management Center (FMC) Next Generation Firewall 6.2 FMC 1000, 2500, 4500, Virtual Appliance FMC is required for managing FTDv/ Virtual FMC can be deployed on ESXi, KVM and in AWS Required for configuration, management & checking events in cloud can be managed by FMC in AWS or FMC on premise (physical or virtual) FMC dashboard provides complete visibility 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Deployment modes and FTDv Firepower Thread Defense Virtual on Hypervisors (ESXi and KVM) Next Generation Firewall Virtual in Public Cloud Routed Inline Routed (AWS and Azure) Passive (AWS) Transparent Inline Tap Passive No support for passive mode in Azure because ERSPAN is not supported 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Firewall Features (Public Cloud) ASA 9.7 Firewall functionality, NAT, ACL and packet inspection VPN capability (LAN-to-LAN, RAVPN (AnyConnect) and Clientless VPN REST API for programmed configuration and monitoring AAA with Local, Radius, TACACS+, and LDAP support Route based VPN (VTI) Management tools ASDM, CSM, API or Cisco Defense Orchestrator 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Orchestrate configuration using Cisco Defense Orchestrator (CDO) Cisco Defense Orchestrator (CDO) ASA configuration orchestration CDO is licensed per device Cloud based solution Easy to integrate Cisco Defense Orchestrator 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Performance Numbers

& Performance Numbers AWS Instance Instance Type Throughput Interface VPN Endpoints c3.xlarge 1 Gbps 2 + 2* S2S VPN Azure c3/c4.large (10) 1 Gbps 2 + 1* 250 c3/c4.xlarge ( 30) 2 Gbps 3 + 1* 750 Instance Instance Type Throughput Interface VPN Endpoints Standard D3, D3v2 1 Gbps 2 + 2* S2S VPN Standard D3, D3v2 (10) 1 Gbps 3 + 1* 750 * Management interface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

& in Azure

in Azure Deploy in Routed Mode Launch supported instance from Azure Marketplace Edge firewall and S2S VPN, AVC, Threat-centric protection, URL and AMP capabilities North/South & East/West traffic inspection Supports Cisco Smart BYOL model Supported Machine Size Number of Interfaces (Subnets) NGFW Platform Number of vcpus Standard D3 & D3v2 4 4 14 RAM (GB) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

in Azure Deploy in Routed Mode Launch supported instance from Azure Marketplace Deploy at the edge to provide RA VPN, Site to Site VPN and edge firewall capabilities North-South, East-West traffic control capability Supports Cisco Smart BYOL model Supported Machine Size Number of Interfaces (Subnets) Platform Number of vcpus Standard D3 & D3v2 4 10 4 14 RAM (GB) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Deployment modes

in Azure Routed Mode Internal eth3 eth2 External Management Workloads vnet On premise FMC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

in Azure Routed Mode Inside dmz1 Workloads Mgmt/Outside dmz2 Workloads vnet Workloads 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Use Cases ( & )

Use Cases - Azure North/South, East/West Traffic Inspection Micro segmentation Multiple IP on interface VNET peering Site to Site VPN and Remote access VPN Inter-subnet communication Edge Firewall Service Chain 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

N/S, E/W traffic filtering & Micro Segmentation WEB-RT vnet WEB Destination APP DB WEB Next Hop APP-RT Destination INT-RT Next Hop Management0/0 FMC Highlighted routes are required for Micro Segmentation Destination Next Hop WEB Internal External APP DB APP Destination DB-RT Next Hop Destination WEB Routes on Next Hop users DB APP WEB APP DB x.x.x.1 (First IP of Internal Subnet) DB 0.0.0.0/0 y.y.y.1 (First IP of external Subnet) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

N/S, E/W traffic filtering & Micro Segmentation WEB-RT INT-RT vnet Destination Next Hop Destination Next Hop WEB APP DB WEB dmz1 dmz2 Highlighted routes are required for Micro Segmentation APP-RT Destination WEB Next Hop Inside Outside Mgmt0/0 APP DB APP DB Destination APP WEB DB-RT Next Hop Destination WEB APP DB Routes on Next Hop x.x.x.1 (First IP of Internal Subnet) 0.0.0.0/0 y.y.y.1 (First IP of external Subnet) users DB same-security-traffic permit intra-interface command is required on ASA to enable Hairpinning 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

/ Multiple IPs on Interface NAT on Firewall Real IP Mapped IP 10.90.4.4 10.90.2.4 10.90.4.5 10.90.2.5 10.90.4.6 10.90.2.6 10.90.4.4 WEB-RT 10.90.4.5 Destination APP DB Next Hop (internal) (internal) (internal) Internal 10.90.3.0/24 External 10.90.2.0/24 Translation on Azure NAT Gateway 10.90.4.6 WEB vnet 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

NAT configuration Example: Above NAT configuration is an example of one-to-one translation & you still need access control policy to allow traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

interconnect VNETs (Site to Site VPN tunnel) Internal-RT Internal-RT Destination Next Hop Destination Next Hop vnet2.vnetn (internal) (internal) FMC vnet2.vnetn (internal) (internal) Internal vnet vnet Internal External Site to Site VPN Tunnel External Destination External-RT Next Hop AS Av Destination External-RT Next Hop AS Av 0.0.0.0/0 x.x.x.1 (external subnet) 0.0.0.0/0 x.x.x.1 (external subnet) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

interconnect VNETs (Site to Site VPN tunnel) Internal-RT Internal-RT Destination Next Hop Destination Next Hop (internal) (internal) vnet2.vnetn (internal) vnet2.vnetn (internal) Inside vnet vnet dmz1 dmz2 dmz2 dmz1 Internal Inside Outside Site to Site VPN Tunnel Outside Destination External-RT Next Hop AS Av Destination External-RT Next Hop AS Av 0.0.0.0/0 x.x.x.1 (external subnet) 0.0.0.0/0 x.x.x.1 (external subnet) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Site to Site VPN Internal Internal-RT Destination Corporate DC Next Hop (internal) (internal) Management0/0 FMC External Site to Site VPN Tunnel Use case Network Address Translation (NAT) vnet Site to Site Tunnel Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC NGFW Corporate Data Centre Site-to-site VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Inter Subnet and Edge Firewall DB Use case Network Address Translation (NAT) Access Control Policy, IPS Policy and AMP policy Networking, Firewalling and AVC WEB DB-RT WEB-RT 1 users Destination Next Hop Destination Next Hop (Internal) -Edge (inside) WEB (Internal) DB (External) vnet 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Cisco Edge Firewall, RA VPN & Site to Site VPN Inside Destination Internal-RT Next Hop RA VPN Users (internal) Corporate DC (internal) RA VPN Pool (Internal) Outside Site to Site VPN Tunnel Remote Access VPN Dmz1 and DMZ2 RT dmz1 dmz2 Destination Next Hop (internal) ASA Workloads vnet Corporate DC RA VPN Pool (internal) (Internal) Corporate Data Centre Site-to-site VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Inter Subnet and Service Chain Inside dmz1 Workloads DM VPN Other Security Outside CSRv Services dmz2 ASR vnet Workloads Workloads Corporate Data Centre 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

HA in Azure

HA in Azure Overview Integrated solution No external scripts or agents Stateless Switchover Connections must be initiated Fast switchover From detection to recovery in seconds Management s are managed separately (configuration, control, monitoring). No config sync between active and backup.) HA in Azure is coming out in July 2017 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

ARM Template Deployment ( and )

Deploy / using ARM template Add / to existing resource group Publish template to customers, partner and vendors Deploy firewall with additional parameters (example: Availability Set) Multiple device deployment ARM template is a.json script 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Pre-requisites for template deployment Following should be created before initiating firewall deployment using ARM template Resource Group Availability Set VNET Subnets Storage Account No conflicting resource name ARM Template: http://cs.co/armtemplate ARM Template: http://cs.co/armtemplate 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Stateless scale-out design ( & )

Scale out design Inside dmz1 Translated Source Egress Interface Source Translated Destination Internal Load Balancer address Destination users Load Balancer mgmt Azure Internal Load Balancer dmz2 Availability Set Azure External Load Balancer (Public IP) vnet Incoming Traffic Return Traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

ASA NAT configuration example For your Reference object service obj-http service tcp destination eq www object network obj-10.41.1.6 host 10.41.1.6 object network obj-10.41.1.7 host 10.41.1.7 object service obj-8080 service tcp destination eq 8080 nat (management,inside) source dynamic any interface destination static interface obj-10.41.1.6 service obj-http obj-http nat (management,inside) source dynamic any interface destination static interface obj-10.41.1.7 service obj-8080 obj-8080 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Scale out design Inside dmz1 Translated Source Egress Interface Source Load Balancer Translated Destination Internal Load balancer address Destination mgmt users Azure Internal Load Balancer dmz2 Availability Set Azure External Load Balancer (Public IP) PowerShell script is required to send traffic to eth2 interface vnet Incoming Traffic Return Traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Scale out design (Contd.) Power Shell Script to change behavior of Azure Load Balancer Login-AzureRmAccount Select-AzureRmSubscription -Subscriptionid "xxxxxxx" $RG=Get-AzureRmResourceGroup -Name "answami-ngfw" -location "westcentralus" $NRPLB = Get-AzureRmLoadBalancer -ResourceGroupName "answami-ngfw" -Name "answami-ngfwelb $beaddresspool= Get-AzureRmLoadBalancerBackendAddressPoolConfig -Name "ngfwpool" - LoadBalancer $NRPLB $nic1 = Get-AzureRmNetworkInterface -Name "answami-ngfw001-nic2" -ResourceGroupName "answami-ngfw" $nic1.ipconfigurations[0].loadbalancerbackendaddresspools=$beaddresspool Set-AzureRmNetworkInterface -NetworkInterface $nic1 $nic2 = Get-AzureRmNetworkInterface -Name "answami-ngfw002-nic2" -ResourceGroupName "answami-ngfw" $nic2.ipconfigurations[0].loadbalancerbackendaddresspools=$beaddresspool Set-AzureRmNetworkInterface -NetworkInterface $nic2 $NRPLB Set-AzureRmLoadBalancer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Demo N/S, E/W traffic inspection & Micro Segmentation in Azure

N/S, E/W traffic filtering & Micro Segmentation WEB-RT vnet 10.90.4.0/24 10.90.4.4 WEB 10.90.5.0/24 10.90.5.4 APP Destination APP DB WEB Destination WEB DB APP APP-RT Next Hop Next Hop INT-RT Destination Next Hop 10.90.3.0/24 Internal Management0/0 10.90.2.0/24 External FMC Highlighted routes are required for Micro Segmentation 10.90.6.0/24 10.90.6.4 DB Destination APP WEB DB DB-RT Next Hop Destinati on WEB APP DB Next Hop Routes on 10.90.3.1 (First IP of Internal Subnet) 0.0.0.0/0 10.90.2.1 (First IP of external Subnet) users IP Add 10.90.3.4 10.90.2.4 Interface Internal external 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

& in Amazon Web Services (AWS)

in AWS Deploy & FMCv in AWS and FMCv AMI are available in AWS market place supports Routed & Passive Mode Provides Networking, firewalling, threat-centric protection, URL filtering & AMP capabilities Cisco Smart BYOL, hourly and annual model Instance Type Interfaces Number of vcpus FMCv & c3.xlarge 2 + 2* 4 7.5 FMCv c3.2xlarge 8 4 15 RAM (GB) * Management interface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

in AWS Deploy in AWS in Routed Mode Deploy at the edge to provide RA VPN, Site to Site VPN & edge firewall capabilities East/West traffic control capability Cisco Smart BYOL, hourly and annual model Supported Instance Types Number of Interfaces (Subnets) Platform Number of vcpus c3.large/c4.large 2+1* 10 2 3.75 c3.xlarge/c4.xlarge 3+1* 30 4 7.5 RAM (GB) * Management interface can be used as a data interface 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Deployment modes

in AWS Routed Mode Internal Workloads EC2 Management External Firepower Management Center* * Firepower Management can be on Premise or in AWS AWS Gateway 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

in AWS Passive Mode Internal Management Workloads EC2 CSRv ERSPAN Firepower Management Center* External * Firepower Management can be on Premise or in AWS AWS Gateway 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

in AWS Routed Mode Inside dmz1 EC2 AWS Gateway Mgmt/Outside dmz2 EC2 EC2 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Use Cases (AWS)

Use Cases - AWS Secure Transit VPC Multiple IP on interface VPC peering Edge firewall and Site to Site VPN Inter-subnet communication Remote access VPN ASA Virtual Tunnel Interface (Route Based VPN) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Secure Transit VPC - VPC A VPC B Spoke VPC AZ1 AZ2 CSRv CSRv RT Transit VPC *Only one IGW, two IGWs for better diagram. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Control plane connectivity Transit VPC Transit VPC Subnet Next Hop IGW Add specific routes to No default routes because it will be learned from BGP session with 0.0.0.0 IGW Subnet-1 10.0.0.0/24 MGMT RT Subnet-2 10.0.1.0/24 Add specific routes to No default routes because it will be learned from BGP session with Subnet Next Hop Subnet Next Hop 10.0.4.0/0 10.0.5.1 Csr1-ngfwv Csr2-ngfwv.5 10.0.5.0/24 10.0.6.0/24.6 CSR1 RT CSR2 10.0.4.0/24 10.0.6.1 IGW Subnet Next Hop MGMT RT -IN 10.0.4.0/24 IN.4 can reach out to 5.5 and 6.6 through IN (4.4).224 -OUT OUT 10.0.7.0/24 Subnet Next Hop 10.0.5.0/24 10.0.4.1 0.0.0.0 IGW 10.0.6.0/24 10.0.4.1 Traffic to get out from -OUT interface FMCv AZ1 Subnet-1 0.0.0.0/0 10.0.7.1 AZ2 *Only one IGW, two IGWs for better diagram. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Data Plan connectivity Transit VPC Transit VPC Subnet 0.0.0.0 IGW Next Hop IGW *Only one IGW, two IGWs for better diagram. IGW Subnet Next Hop 10.0.4.0/0 10.0.5.1 Subnet Next Hop MGMT RT CSR1 Subnet-1 10.0.0.0/24 Csr1-ngfwv Csr2-ngfwv.5 10.0.5.0/24 10.0.6.0/24.6 -IN 10.0.4.0/24.224 IN RT.4 MGMT RT Subnet Next Hop 20.0.0.0/0 10.0.5.5 (Active CSR1) 10.0.6.6 (Standby CSR2) Spoke-CIDR Subnet-2 10.0.1.0/24 CSR2 10.0.5.5 (Active CSR1) 10.0.6.6 (Standby CSR2) 0.0.0.0/0 10.0.4.4 () -OUT OUT 10.0.7.7/24 Subnet Next Hop 10.0.5.0/24 10.0.4.1 Subnet Next Hop 10.0.4.0/24 10.0.6.1 For return traffic to spoke vpc to be redirected to CSR Active For internet traffic from spoke vpc to be redirected to 0.0.0.0 IGW 10.0.6.0/24 10.0.4.1 FMCv AZ1 Subnet-1 0.0.0.0/0 10.0.7.1 AZ2 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Packet flow: to Spoke Spoke-A Transit VPC Subnet 0.0.0.0 IGW Next Hop IGW *Only one IGW, two IGWs for better diagram. IGW Subnet Next Hop 10.0.4.0/0 10.0.5.1 Subnet 0.0.0.0 IGW Next Hop MGMT RT CSR1 Subnet-1 10.0.0.0/24 Csr1-ngfwv Csr2-ngfwv.5 10.0.5.0/24 10.0.6.0/24.6 -IN 10.0.4.0/24.224 IN RT.4 MGMT RT Subnet Subnet-2 10.0.1.0/24 Next Hop 20.0.0.0/0 10.0.5.5 (Active CSR1) 10.0.6.6 (Standby CSR2) Spoke-CIDR CSR2 10.0.5.5 (Active CSR1) 10.0.6.6 (Standby CSR2) 0.0.0.0/0 10.0.4.4 () -OUT OUT 10.0.7.7/24 Subnet Next Hop 10.0.5.0/24 10.0.4.1 10.0.6.0/24 10.0.4.1 Subnet Next Hop 10.0.4.0/24 10.0.6.1 For return traffic to spoke vpc to be redirected to CSR Active For internet traffic from spoke vpc to be redirected to FMCv AZ1 Subnet-1 0.0.0.0/0 10.0.7.1 AZ2 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Packet flow:spoke to Spoke-A Transit VPC Subnet 0.0.0.0 IGW Next Hop IGW Subnet Next Hop Subnet-1 MGMT RT Subnet-2 Subnet Next Hop *Only one IGW, two IGWs for better diagram. IGW 10.0.4.0/0 10.0.5.1 Subnet Next Hop MGMT RT CSR1 Csr1-ngfwv Csr2-ngfwv.5 10.0.5.0/24 10.0.6.0/24.6 -IN 10.0.4.0/24.224 IN RT.4 Subnet Next Hop 20.0.0.0/0 10.0.5.5 (Active CSR1) 10.0.6.6 (Standby CSR2) Spoke-CIDR CSR2 10.0.5.5 (Active CSR1) 10.0.6.6 (Standby CSR2) 0.0.0.0/0 10.0.4.4 () OUT -OUT 10.0.7.7/24 Subnet Next Hop 10.0.5.0/24 10.0.4.1 10.0.4.0/24 10.0.6.1 For return traffic to spoke vpc to be redirected to CSR Active For internet traffic from spoke vpc to be redirected to 0.0.0.0 IGW 10.0.6.0/24 10.0.4.1 FMCv AZ1 Subnet-1 0.0.0.0/0 10.0.7.1 AZ2 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

/ in AWS Multiple IPs inside outside EC2 instances Users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

in AWS Inter VPC inside outside Site to Site VPN Tunnel outside EC2 instances FMC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

in AWS Interconnect VPCs (Site to Site VPN) For your Reference inside outside Site to Site VPN Tunnel outside EC2 instances 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

in AWS Edge Firewall & Site to Site VPN inside Corporate DC Site-to-site VPN NGFW outside Site to Site VPN Tunnel Traffic Management EC2 instances FMC Users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

in AWS RA VPN, Site 2 Site VPN, Edge Firewall and inter-subnet Inside dmz1 Corporate DC Site-to-site VPN EC2 instances outside Site to Site VPN Tunnel Remote Access VPN NGFW ASA dmz2 EC2 instances EC2 instances RA VPN Users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

ASA in AWS VTI (Route Based VPN) Inside ASA should have 9.7.1+ version running Route based VPN requires BGP Corporate DC (Site-to-site VPN) Site to Site VPN Tunnel ASA NGFW EC2 instances AWS VPN Connection Steps to configuration Route-based VPN 1. Create Customer Gateway (Dynamic for Route based VPN) 2. Create Virtual Private Gateway 3. Attach Virtual Private Gateway to VPC 4. Create VPN connection 5. Enable route propagation in AWS route table to learn routes 6. Download configuration 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

ASA VTI Configuration Steps Step 1 Click VPC from AWS services Step 2 Click VPC from AWS services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

ASA VTI Configuration Steps Step 3: Click Customer Gateway, Step 4: Create Customer Gateway, Step 5: Yes, Create Name Tag: Enter name Routing: Dynamic IP address: Public address of your on premise ASA BGP ASN: Required for route based VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

ASA VTI Configuration Steps (contd.) Step 6: click VPN Gateway Step 7: Enter name for VPN Gateway, Step 8: Yes, Create Name Tag: Enter name 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

ASA VTI Configuration Steps (contd.) Step 9: Attach to VPC, Step 10: Select VPC from drop down, Step 11: Yes, Attach This process can take few minutes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

ASA VTI Configuration Steps (contd.) Step 12: Click VPN connections, Step 13: Create VPN connection, Step 14: Select proper customer gateway, VPN Gateway and routing option Dynamic, Step 15: Yes, Create Dynamic routing is required for route based VPN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

ASA VTI Configuration Steps (contd.) Step 17: Enable route propagation in AWS route table 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

ASA VTI Configuration Steps (contd.) Step 17: Download the suggested configuration. Choose the values below in order to generate a configuration that is a VTI style configuration. Select Vendor: Cisco Platform: ISR Series Router Software: IOS: 12.4+ 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

ASA VTI Configuration Steps (contd.) After downloading configuration some conversion is required For your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

ASA VTI Configuration Steps (contd.) For your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

ASA VTI Configuration Steps (contd.) For your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

ASA VTI Configuration Steps (contd.) For your Reference Final Step is to add converted configuration on ASA (on premise) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

Stateless Scale-Out Design (AWS)

Load Balancing across Availability Zones Subnet-2a Subnet-1a Subnet-3a AZ1 Subnet-2b ELB IGW users Subnet-1b Subnet-3b AZ2 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

NAT configuration For your Reference asaaz1 object service obj-http service tcp destination eq www object network obj-192.168.11.100 host 192.168.11.100 nat (management,inside) source dynamic any interface destination static interface obj-192.168.11.100 service obj-http obj-http asaaz2 object service obj-http service tcp destination eq www object network obj-192.168.21.100 host 192.168.21.100 nat (management,inside) source dynamic any interface destination static interface obj-192.168.21.100 service obj-http obj-http 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

Demo stateless scale-out design & load balance traffic across Availability Zone in AWS

stateless scale-out design & load balance traffic across Availability Zone lnx-az1 asaaz1 ELB asaaz2 lnx-az2 us-west-2a us-west-2b users AWS IGW 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

NAT configuration For your Reference asaaz1 object service obj-http service tcp destination eq www object network obj-192.168.11.100 host 192.168.11.100 nat (management,inside) source dynamic any interface destination static interface obj-192.168.11.100 service obj-http obj-http asaaz2 object service obj-http service tcp destination eq www object network obj-192.168.21.100 host 192.168.21.100 nat (management,inside) source dynamic any interface destination static interface obj-192.168.21.100 service obj-http obj-http 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

Licensing & Marketplace Listings

Azure AWS licensing Cisco Smart License (BYOL) Bring your own license Hourly & annual usage model 2 Activate and Use Software Licenses are managed by Firepower Management Center Cisco Smart Software Manager Entitlement 1 Place Order Distribution Cisco Smart License (BYOL) Bring your own license 3 Cisco Smart Software Manager BASE License (Networking, Firewalling, AVC) Term Based Licenses* (Threat, URL Filtering, AMP) * Term is 1yr, 3yr & 5 year 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Azure AWS licensing Cisco Smart License (BYOL) Bring your own license Hourly & annual usage model 2 Activate and Use Software Cisco Smart Software Manager Entitlement 1 Place Order Distribution Cisco Smart License (BYOL) Standard License (Firewalling & Throughput) VPN License (Anyconnect & IPSEC) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

and Marketplace Listings Product Marketplace listing BYOL Marketplace listing Hourly & Annual FMCv Marketplace listing BYOL Marketplace listing BYOL, Hourly & Annual AWS Marketplace listing http://cs.co/ciscobyol http://cs.co/ciscohourlyannual http://cs.co/ciscofmcvbyol http://cs.co/ciscobyolhourlyannual Product Marketplace listing BYOL Marketplace listing BYOL Azure Marketplace listing http://cs.co/cisco http://cs.co/cisco 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

Summary Available in AWS and Azure Flexible licensing (BYOL + Hourly + Annual) Feature Parity Template Deployment for and in Azure Leverage existing management/monitoring tools and operational resources Stateless Scale-Out design High Availability in Azure for releasing in July 2017 REST-API support for orchestration and automation Integration with Cisco Defense Orchestrator for configuration orchestration 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

Demo Videos For your Reference Demo1: North-South, East-West traffic inspection and micro segmentation http://cs.co/cisconsew Demo2: Scale-Out in AWS http://cs.co/ciscoscaleoutaws http://cs.co/microsegmentation 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

YouTube Channel Public Cloud Playlist: http://cs.co/advancesecurityprivatepubliccloud 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

in cloud (Videos) For your Reference Cisco deployment in AWS and block malware (Part1, 2 and 3) http://cs.co/ciscoinaws1 http://cs.co/ciscoinaws2 http://cs.co/ciscoinaws3 Cisco deployment in Azure http://cs.co/azuredeployment Cisco Firepower in Azure : Protect vnet workloads N/S and E/W http://cs.co/cisconsew Cisco micro-segmentation use case in Azure http://cs.co/microsegmentation 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

in cloud (Videos) For your Reference Cisco deployment in AWS http://cs.co/ciscodeploymentaws Cisco deployment in Azure http://cs.co/ciscodeploymentazure Cisco template deployment http://cs.co/ciscotdeploymentazure Cisco scale out design in AWS http://cs.co/ciscoscaleoutaws Cisco scale out design in Azure http://cs.co/ciscoazurescaleout 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Reference Links For your Reference Cisco licensing (BYOL) http://cs.co/licensing Cisco licensing (BYOL) http://cs.co/ciscolicensing ARM Template http://cs.co/armtemplate ARM Template http://cs.co/armtemplate 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on www.ciscolive.com/us. Don t forget: Cisco Live sessions will be available for viewing on demand after the event at www.ciscolive.com/online. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback