Cisco ASA 5520 VPN IP help?

Unanswered Question
Jan 13th, 2008
User Badges:

Hi, I have a Cisco Pix 515 and a Concentrator for the VPN side. I'm getting rid of these 2 and replacing them with 2 ASA 5520 (active/standby). I hope to eventually move the site to site VPN's and client VPN's over at some point and hope it's like the Concentrator to set them up. I was just wondering what the 5520 VPN IP will be? I guess the ASA 5520's "outside" interface will have the same external IP as the Pix (after migration), but will the VPN's also use this address or can I use the public IP the concentrator after migration or will it simply use the "outside" IP of the ASA?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sun, 01/13/2008 - 19:12
User Badges:
  • Green, 3000 points or more

Andy, I would like to provide you with couple of links for you to be aware of some differences between Cisco VPN concentrator and Cisco ASA specifically PPTP which is the Microsoft client I would say still largely used these days. If you are planning in the near future getting rid of the VPN concentrator and the use of PPTP asa does not support it as an end point for pptp unless you have a Windows Remote access server and let PPTP pass through and keep your PPTP users but hopefully this is not your case.


I would suggest though since you are replacing the PIXes with ASA to start building your standards for using Cisco VPN client in the ASA, you could have both in parallel while migrating your users to Cisco VPN client using the ASA end point.


Migrating from VPN Concentrator 3000 to ASA

http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/miFeatureDiffs.html


With ASA there are quite few options for Remote access such as Clientless SSL VPN remote access, see bellow link for Remote access basic configuration etc..


ASA Remote Access VPN

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#intro


AS for the VPN clients IPs you have several options, either you could create VPN ip Pool from the same ASA applience where your users will be assign dynamic IP addresses once connected, however, you also have the option to use DHCP relay where you could use Windows DCHP server to assign your VPN users IP addresses. For authentication you could use ASA local users database using AAA for authentication or have external Windows IIS RADIUS server for authentication .


I think since you have VPN concentrator in production you can have both in parallel functioning and start migrating your L2L connections without minimal downtime as well as begin implementing Remote access using Cisco VPN and start testing it.


On your migration of PIX and ASA outside interface IP address you have few options but the one that comes to mind is a hut cutover which is much easier and better to fall back to PIX in the event you run into problems. What I would is to build your ASA offline configuration access lists, static NATs, NAT pools interfaces configuration as that of the PIX and plan a hot cutover. If you need further assistance we are always here to assist in anything we can.


Rgds

Jorge


whiteford Sun, 01/13/2008 - 23:07
User Badges:

Thanks Jorge for your detailed response. I forgot to mention all my client connections do use the Cisco VPN client and point to the concentrator 3015's public ip and I use windows radius for authentication. I'm not sure if dhcp relay is in use, I'm pretty sure users are getting an IP assigned to them from the concentrator, is this possible?


What I might do then is get the asa up and just doing the job the pix did and continue to use the concentrator for VPN's, once I'm happy the asa is ok then practise with client VPN on the asa, I then will need to somehow change the client VPNs to point to the new external IP of the asa.


Does this sound like a logical plan?

JORGE RODRIGUEZ Mon, 01/14/2008 - 08:51
User Badges:
  • Green, 3000 points or more

Yes this sounds as a very good plan, if your users are currently using Cisco VPN client that makes things esier at leats for the client side where you do not need to have your users install Cisco VPN client for that matter.


As for your Plan again, it is good, that will leave you room to implement VPN in the ASA5510 and test it while having the concentrator up in production, when test indicate success on the ASA you can gradually migrate users to point to new VPN ASA outside IP address.


As for your 1st question on the DHCP in concentrator the applience has the option to use local user database as well as assign the users IP address defined localy at the concentrator, you could confirm this by looking if you have external DHCP as well as External Autentication server in the device.


That can be found at:


For authentication

Configuration>System>Servers>Authentication


For Accounting

Configuration>System>Servers>Accounting


For DHCP external

Configuration>System>Servers>DHCP


If you see external servers configured in VPN concentrator in above means these tasks are administered by external servers.


On the other hand if you go to address management at:


Configuration>system>Address Management>assigment


and

Configuration>System>Address Management Pools


you will see if the options checked off either to use internal address pool or external DHCP services.



Rgds

Jorge




whiteford Wed, 01/16/2008 - 12:17
User Badges:

Looks like I use a local DHCP pool on the concentrator, does the ASA do this?


What is the Accounting used for? I use the Authentication for RADIUS.

Actions

This Discussion