07-10-2007 07:48 PM - edited 02-21-2020 01:36 AM
Hi all.
I'm now managing two ASA's (5520 and 5510). These have been in my mind configured poorly.
The 5510 has its external interface connected to a DMZ interface of the 5520.
SSL and IPSec vpns are terminated to the external interface of the 5510.
Can I easily add configuration to the 5520 without destroying the connectivity to the 5510?
I'm 95% sure I can. A few people wish to lab this. I'm sure it doesn't require a lab.
Effectively terminating ssl and ipsec on both "external" interfaces. I'll then migrate users to the 5520.
Appreciate any information!!!
07-10-2007 10:41 PM
Hi
It really depends on what configuration you are adding to the ASA 5520. I can think of a lot of config you could add that would not impact the 5510 but then again i can think of config that would.
Could you be a bit more specific in the config you want to add ?
Jon
07-10-2007 11:09 PM
Thanks John.
Crypto map
crypto dynamic-map
relevant isakmp policies
tunnel-group commands
group-policy
Enough to terminate SSL and Ipsec to the external interface of the 5520, while concurrently terminating ssl and ipsec on the 5510.
I plan on not overlapping an Ip subnets for remote users until i sign off on 5520 remote access.
Configuration of subnets to be ported in order to decomission the 5510.
No LAN-2-LAN. Nothing really fancy. Just the ability to run conncurent ssl vpn and ipsec vpn to the two asa's. Just very vanilla conifguration.
Does that help?
I just don;'t want to find out during configu, my 5520 is intercepting antyhing for the 5510
clear as mud?
thanks
07-10-2007 11:12 PM
Hi
No, a bit clearer than mud :)
I can't see any reason why you cannot have both firewalls terminating ssl and IPSEC traffic on their external interfaces. As long as you keep the addressing totally separate so there is no confusion in routing the packets you should be fine.
Jon
07-10-2007 11:15 PM
Thanks champ!
No sure why the external interface of the 5510 was dropped into the DMZ of the 5520.
I'd have done the internal perhaps and run the two externals in the same subnet.
But anyway.........
Thanks
07-10-2007 11:18 PM
Yes, so would i but i have seen it done like this before.
Advantage is that you can make sure only IPSEC / ssl traffic goes to the outside interface of the 5510.
But you could do this on your upstream router.
Downside, and it can be quite a big one. It can really play havoc with NAT etc.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide