Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
5
Replies

ASA Question

timkaye
Level 1
Level 1

‎07-10-2007 07:48 PM - edited ‎02-21-2020 01:36 AM

Hi all.

I'm now managing two ASA's (5520 and 5510). These have been in my mind configured poorly.

The 5510 has its external interface connected to a DMZ interface of the 5520.

SSL and IPSec vpns are terminated to the external interface of the 5510.

Can I easily add configuration to the 5520 without destroying the connectivity to the 5510?

I'm 95% sure I can. A few people wish to lab this. I'm sure it doesn't require a lab.

Effectively terminating ssl and ipsec on both "external" interfaces. I'll then migrate users to the 5520.

Appreciate any information!!!

0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎07-10-2007 10:41 PM

Hi

It really depends on what configuration you are adding to the ASA 5520. I can think of a lot of config you could add that would not impact the 5510 but then again i can think of config that would.

Could you be a bit more specific in the config you want to add ?

Jon

0 Helpful

timkaye
Level 1
Level 1
In response to Jon Marshall

‎07-10-2007 11:09 PM

Thanks John.

Crypto map

crypto dynamic-map

relevant isakmp policies

tunnel-group commands

group-policy

Enough to terminate SSL and Ipsec to the external interface of the 5520, while concurrently terminating ssl and ipsec on the 5510.

I plan on not overlapping an Ip subnets for remote users until i sign off on 5520 remote access.

Configuration of subnets to be ported in order to decomission the 5510.

No LAN-2-LAN. Nothing really fancy. Just the ability to run conncurent ssl vpn and ipsec vpn to the two asa's. Just very vanilla conifguration.

Does that help?

I just don;'t want to find out during configu, my 5520 is intercepting antyhing for the 5510

clear as mud?

thanks

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to timkaye

‎07-10-2007 11:12 PM

Hi

No, a bit clearer than mud :)

I can't see any reason why you cannot have both firewalls terminating ssl and IPSEC traffic on their external interfaces. As long as you keep the addressing totally separate so there is no confusion in routing the packets you should be fine.

Jon

0 Helpful

timkaye
Level 1
Level 1
In response to Jon Marshall

‎07-10-2007 11:15 PM

Thanks champ!

No sure why the external interface of the 5510 was dropped into the DMZ of the 5520.

I'd have done the internal perhaps and run the two externals in the same subnet.

But anyway.........

Thanks

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to timkaye

‎07-10-2007 11:18 PM

Yes, so would i but i have seen it done like this before.

Advantage is that you can make sure only IPSEC / ssl traffic goes to the outside interface of the 5510.

But you could do this on your upstream router.

Downside, and it can be quite a big one. It can really play havoc with NAT etc.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card