ASA Question

Unanswered Question

Hi all.

I'm now managing two ASA's (5520 and 5510). These have been in my mind configured poorly.

The 5510 has its external interface connected to a DMZ interface of the 5520.

SSL and IPSec vpns are terminated to the external interface of the 5510.

Can I easily add configuration to the 5520 without destroying the connectivity to the 5510?

I'm 95% sure I can. A few people wish to lab this. I'm sure it doesn't require a lab.

Effectively terminating ssl and ipsec on both "external" interfaces. I'll then migrate users to the 5520.

Appreciate any information!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 07/10/2007 - 22:41

Hi

It really depends on what configuration you are adding to the ASA 5520. I can think of a lot of config you could add that would not impact the 5510 but then again i can think of config that would.

Could you be a bit more specific in the config you want to add ?

Jon

Thanks John.

Crypto map

crypto dynamic-map

relevant isakmp policies

tunnel-group commands

group-policy

Enough to terminate SSL and Ipsec to the external interface of the 5520, while concurrently terminating ssl and ipsec on the 5510.

I plan on not overlapping an Ip subnets for remote users until i sign off on 5520 remote access.

Configuration of subnets to be ported in order to decomission the 5510.

No LAN-2-LAN. Nothing really fancy. Just the ability to run conncurent ssl vpn and ipsec vpn to the two asa's. Just very vanilla conifguration.

Does that help?

I just don;'t want to find out during configu, my 5520 is intercepting antyhing for the 5510

clear as mud?

thanks

Jon Marshall Tue, 07/10/2007 - 23:12

Hi

No, a bit clearer than mud :)

I can't see any reason why you cannot have both firewalls terminating ssl and IPSEC traffic on their external interfaces. As long as you keep the addressing totally separate so there is no confusion in routing the packets you should be fine.

Jon

Jon Marshall Tue, 07/10/2007 - 23:18

Yes, so would i but i have seen it done like this before.

Advantage is that you can make sure only IPSEC / ssl traffic goes to the outside interface of the 5510.

But you could do this on your upstream router.

Downside, and it can be quite a big one. It can really play havoc with NAT etc.

Jon

Actions

This Discussion