01-25-2008 12:38 PM - edited 03-11-2019 04:53 AM
We have a client that is currently using PIX 506E at the Main office and at several sites doing site-to-site VPN. All of the users at the Remote sites access the Internet through the Main site, this is currently being handled by a Linux firewall. The client would like to retire the Linux firewall and just use one firewall for the VPNs and Internet access, along with potential URL filtering at the Main office. Is this support configuration on an ASA?
01-25-2008 12:59 PM
I think this should be possible with the ASA using the permit intra interface command.
What you need is to tunnel all traffic from the remote locations to the ASA and then configure permit intra interface and then have the ASA NAT to a valid routable IP for internet access. And then use Websense or N2H2 to do content filtering.
Please refer the below URL, even though this is for VPN Client, I am sure that you can apply the same concept to the L2L Tunnel as well.
But, I would strongly recommend that you get a ASA if possible and test it thoroughly before migrating over. if you are interested, you may want to look at the new ASA 5580 :-)
Happy Testing.
Regards,
Arul
** Please rate all helpful posts **
01-27-2008 11:52 AM
Keep in mind the following information:
1- At the remote site, you need to specify
the following as your intesting traffics.
For example, let say your remote location
has a network of 10.1.1.0/24:
access-list IPSEC permit ip 10.1.1.0 255.255.255.0 any
crypto map ipsec 10 match IPSEC
This will allow traffics from the remote
location to be encrypted when going to the
CORP ASA. This configuration will go to ALL
remote location devices.
By the way, I described this on
another similar post not too long ago.
If you search for cisco24x7, you will see
that post.
CCIE Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide