This article outlines a functional, multi-tier network architecture simulating a small-to-medium business (SMB) environment with geographically distributed sites. The design emphasizes redundancy, segmentation, dynamic routing, and perimeter security—implemented using Cisco IOS and ASA 5506-X firewall semantics.

Architecture Overview

The tooplogy comprises three logical zones:

• Headquarters (HQ): A dual-core, dual-aggregation, multi-access layer with VLAN segmentation (10, 20, 30, 40), VRRP for first-hop redundancy, and PVST+ for loop prevention.
• Branch Office: Simplified two-VLAN infrastructure (10, 20) with HSRP-like standby gateways and direct WAN uplink.
• Internet Edge: Simulated external network connected via serial links; serves as both ISP and test endpoint.

A dedicated Cisco ASA 5506-X acts as the HQ’s security gateway, enforcing zone-based policies between internal core networks (incore-1, incore-2) and the external segment (outcore).

Key Configuration Principles

All devices run OSPF (multi-process where needed) to ensure end-to-end reachability without static routes. Inter-area communication is achieved through consistent area 0 assignment and route redistribution where appropriate. ACLs are applied exclusively on the firewall—no ACLs exist on switches or routers—making the ASA the sole policy enforcement point.

Firewall Policy Clarification

The original query asks whether unidirectional traffic control—alloiwng HQ→Branch but denying Branch→HQ—is feasible using only ACLs on a single ASA 5506-X, without NAT or additional devices.

Answer: Yes—but not via inbound ACLs alone.

ASA evaluates traffic in the context of security levels and directional interfaces. By assigning:

• incore-1 and incore-2 → security-level 100 (trusted)
• outcore → security-level 0 (untrusted)

…and applying an ACL only on the outcore interface for outbound inspection, you can permit return traffic implicitly via stateful tracking—but cannot block initiated connections from lower-security zones by ACL alone.

To enforce HQ-only-initiated access to the branch:

1. Ensure Branch resides behind outcore (i.e., assign its WAN-facing interface to outcore or a similarly low-security zone).
2. Apply an explicit deny rule on the outcore interface’s inbound direction targeting Branch → HQ subnets:

access-list OUTBOUND_IN extended deny ip 192.200.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list OUTBOUND_IN extended permit ip any any
access-group OUTBOUND_IN in interface outcore

This blocks new connection attempts originating from the Branch zone while allowing established sessions (e.g., HQ-initiated SSH or HTTP) to function bidirectionally.

Sample Device Configurations

HQ Aggregation Switch (Primary)

enable
configure terminal
vlan 10,20,30,40
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 standby 10 ip 192.168.10.252
 standby 10 priority 120
 standby 10 preempt
 standby 10 track Fa0/1 decrement 15
 standby 10 track Fa0/2 decrement 15
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 standby 20 ip 192.168.20.252
 standby 20 priority 120
 standby 20 preempt
 standby 20 track Fa0/1 decrement 15
 standby 20 track Fa0/2 decrement 15
!
interface Fa0/1
 no switchport
 ip address 192.168.2.2 255.255.255.0
 no shutdown
!
interface Fa0/2
 no switchport
 ip address 192.168.4.2 255.255.255.0
 no shutdown
!
ip routing
spanning-tree mode pvst
spanning-tree vlan 10,20 root primary
spanning-tree vlan 30,40 root secondary
!
interface range Fa0/3 - 6
 switchport mode trunk
 switchport trunk encapsulation dot1q
!
router ospf 10
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
 network 192.168.30.0 0.0.0.255 area 0
 network 192.168.40.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 0
 network 192.168.4.0 0.0.0.255 area 0

ASA 5506-X Firewall (Security Gateway)

enable
configure terminal
interface GigabitEthernet1/1
 nameif outcore
 security-level 0
 ip address 192.168.1.2 255.255.255.0
 no shutdown
!
interface GigabitEthernet1/2
 nameif incore-1
 security-level 100
 ip address 192.168.254.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet1/3
 nameif incore-2
 security-level 100
 ip address 192.168.253.1 255.255.255.0
 no shutdown
!
router ospf 50
 network 192.168.1.0 255.255.255.0 area 0
 network 192.168.253.0 255.255.255.0 area 0
 network 192.168.254.0 255.255.255.0 area 0
!
access-list CORE_POLICY extended deny ip 192.200.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list CORE_POLICY extended permit ip any any
access-group CORE_POLICY in interface outcore

Branch Core Switch

enable
configure terminal
vlan 10,20
!
interface Vlan10
 ip address 192.200.10.1 255.255.255.0
 standby 10 ip 192.200.10.252
 standby 10 preempt
 standby 10 track Fa0/1 decrement 15
!
interface Vlan20
 ip address 192.200.20.1 255.255.255.0
 standby 20 ip 192.200.20.252
 standby 20 preempt
 standby 20 track Fa0/1 decrement 15
!
interface Fa0/1
 no switchport
 ip address 192.200.1.2 255.255.255.0
 no shutdown
!
ip routing
spanning-tree mode pvst
spanning-tree vlan 10,20 root primary
!
router ospf 100
 network 192.200.1.0 0.0.0.255 area 0
 network 192.200.10.0 0.0.0.255 area 0
 network 192.200.20.0 0.0.0.255 area 0