I'm running into a scenario more and more often, and am hoping to get some input as to how other members of the community would handle it.
The challenge is fairly straight forward. I have 3 sites, and I want to route a point to point IPSEC VPN between them. Pretty normal, but one of the sites is an Amazon VPC.
Typically, I'll have a corporate office with some firewall, in my example I'll use a Sonicwall NSA security appliance at corporate, we'll call it Site #1.
At a satellite office (site 2) I only have a Cisco ISR router and no separate firewall. Lets say for the sake of argument I don't need a firewall at Site 2.
Now site 3 is the Amazon VPC where all the servers are.
Lets say I want to have Site 1 access the internet, but I need content filtering and rules from the Sonicwall applied to their external web browsing.
Site 1 needs to be able to access resources at Site 3 where all the servers are, and site 2 as well for monitoring various things.
Site 2 needs to be able to access resources at Site 3, where the servers are, and should be able to communicate directly back to site 1 as well over the point to point VPN between the two. Any external web browsing at Site 2 doesn't need any filtering, so it just should route out through the local ISP.
Site 3 simply hosts the servers and will need VPN links to the Cisco ISR routers at Sites 1 and 2.
So here is the challenge: How do you wire up the router and firewall at Site 1?
The age old question comes into play - do you put the firewall in front of the router, or behind it?
Remember, this is our router, not the ISP's. It's used for 1 purpose - routing internal VPN traffic through established VPN links between the 2 sites.
The next question is, do you just add routes in the Sonicwall for example, to the Cisco? That's what seems logical to me - put the Sonicwall as Site 1's LAN default gateway and route any traffic destined for Site 2 or Site 3's network to the appropriate place...
I've attached 3 diagrams. Here's the only differences between them:
Diagram 1 - Site 1's Sonicwall and Cisco ISR are connected to the ISP's router and each has an external public IP. The Sonicwall is the default gateway for Site 1's LAN. There's a route between the sonicwall and the cisco isr for traffic destined to Site 2 and Site 3's VPN's.
Diagram 2 - Site 1's Sonicwall is the default gateway for the LAN. It's WAN port is plugged into the Cisco ISR's inside LAN adapter. A network exists between the two, and the Cisco ISR is the Sonicwall's default gateway. The Cisco ISR is then connected to the ISP and has a public IP.
I don't think Diagram 2 will work, my concern is that I might have a double NAT, but I suppose I could turn off NAT. I also am not sure if I would need routes in the Sonicwall but I don't see why I would under Diagram 2...
Diagram 3 - The Cisco ISR is the default gateway for the LAN, and it's WAN port is in the Sonicwall. The Sonicwall's WAN port is then connected to the ISP. Probably the Cisco ISR would have to be in a DMZ off the Sonicwall? The Cisco would then already know to route traffic destined for Site 2 and Site 3 across the VPN links, assuming they could be established transparently behind the Sonicwall...
So there is my conundrum. I'm sure there's some fundamental flaws with my thinking in some or all of these scenarios. Usually I forgo the firewall and just put Cisco ISR's at all the sites but I'm running into the need to route VPN traffic across the Cisco routers and route internet traffic through security appliances for compliance requirements.
Why am I using Cisco ISR's? Because I like to use BGP with my VPC's, and get the advantages of dynamic routing. While it's possible to use a ASA or even a Sonicwall now with Amazon's VPC's in generic configs with static routing, I use the ISR's. I think they have the maximum compatibility and are supported by AWS tech support engineers so it's easier to get other problems solved.
I have Linked the 3 diagrams: