Cisco ASA 5510 site to site VPN only

Unanswered Question
Dec 7th, 2007


Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Sat, 12/08/2007 - 02:10


If all you are doing is terminating IPSEC site-to-site VPN tunnels then you do not need to worry about NAT or access-lists really.

As long as the outside interface of the ASA doing the VPN's is routable from the remote sites you should be fine.

As for permitting everything, if you mean permitting all traffic that comes through the VPN tunnel then yes you may as well because as you say you have another firewall behind it to do packet filtering.

Can i ask why you are using 2 firewalls rather than just the one ?


yoyong.tabanan@... Sat, 12/08/2007 - 03:29

Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.

So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.

As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.

Jon Marshall Sat, 12/08/2007 - 05:51

Yes, there is an option for VPN traffic to bypass access-lists. It used to

sysopt connection permit-ipsec but from memory i think it is now

sysopt connection permit-vpn

You may as well use this as yo don't want to filter traffic on this ASA.

Not sure about your NAT question ?. If you have users going out through both your firewalls and through your router where are you Natting the traffic to a public IP address ?


yoyong.tabanan@... Sat, 12/08/2007 - 06:47

Yes Jon. We just added the route from the firewall on ASA's LAN interface saying that anything destined on the branch site wil go to the ASA, everything else will be to the INTERNET router. So we don't expect any Internet traffic to go through ASA, only VPN traffic to the branch site. Which brings me back to my question, should there be any NAT or would it matter if there is or not? And also if I need to allow anything on my access policies? I hope I don't sound like I am going in circles. Thanks for all the responses.

Jon Marshall Sat, 12/08/2007 - 09:28

If you trust your remote sites then no you do not need to have access policies. You are in effect extending your network out to these sites.

As for NAT, it does not matter. Personally i would avoid it if you don't need it.



yoyong.tabanan@... Fri, 12/14/2007 - 23:21

Hi Jon,

Currently deploying the VPN IP sec tunnel we are able to see the tunnel up but could not see the remote networks. What things could we possibly check.



This Discussion