Network Architecture ?

Unanswered Question
Feb 4th, 2008

Not sure where to post this but I thought I would start here. We recently purchased an ASA 5510. I am getting ready to implement it and have some questions / opinions on how to do it.

Here is the issue. We have two WAN connections, a T1 and a DSL connection that go to a dual WAN router. Then from the router to the core switch. My question is this. Do I put the ASA behind the dual WAN router or in front of it? The main purpose of the ASA is for client VPN access.

I look forward to your thoughts....Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 02/04/2008 - 13:48


I would put the ASA device between your WAN router and the core switch assuming that your core switch is doing the routing for the internal network.

I'm assuming that the client VPN access is coming from the two connections on the WAN router.


jglover72 Mon, 02/04/2008 - 13:51

Thanks for the quick response. If I put it between the WAN router.... which is also acting as our firewall, which ports do I open on it to forward to the ASA for the VPN clients? Also at that point do I not assign a WAN IP to ASA or assign it two private IP's at that point?

Jon Marshall Mon, 02/04/2008 - 13:59

Ah, you didn't mention that the router was acting as firewall.

If the ASA is acting purely to terminate remote access VPN's does this mean you do not want the ASA to do any firewalling.

Your 2 wan connections - can the remote access VPN's come across both links ?


jglover72 Mon, 02/04/2008 - 14:07

I don't need the ASA to do any firewalling, but not against it. But I can't afford to lose the dual wan connectivity as it for redundancy. We are using a hotbrick "name of the router" for our dual WAN router. So we go from the T1 router into the hotbrick and from a dsl modem into the hotbrick. It does load balancing from there.

For right now the only VPN connectivity will be by remote users via software VPN. They could come across both public WANS I was just thinking coming across the T1.

Have I lost you yet? Sorry about the confusion.

Jon Marshall Mon, 02/04/2008 - 14:25

Okay, not familiar with a hotbrick so it's a but difficult to say for sure where to place the ASA.

Could you send a quick topology diagram with the addressing showing your WAN routers/hotbrick and core switch if possible.


Jon Marshall Mon, 02/04/2008 - 14:39


Okay, thanks for that. Presumably that was one you already had :).

You have 2 options

1) Place the ASA device alongside your hotbrick and give the ASA external interface an IP address out of the T1 public subnet range. Firewall the vpn traffic on the ASA and connect the internal interface onto an internal subnet. This is assuming you only want to provide remote acccess-vpn's on the T1. If you want to provide it to both links then you could use 2 interfaces on your ASA, one from the each public subnet. Note that if the routers connect directly to the hotbrick you would need to insert a switch. Non VPN traffic does not go through the ASA.

2) Place the ASA in between the hotbrick and the core switch. You would have to use private addressing on both interfaces and port forward from your router firewall. You will also need to enable NAT-T.


jglover72 Mon, 02/04/2008 - 14:45


Thanks for your help, if I do this:

2) Place the ASA in between the hotbrick and the core switch. You would have to use private addressing on both interfaces and port forward from your router firewall. You will also need to enable NAT-T.

1. What ports would I need to port forward from the hotbrick to the ASA?

2. Not familiar with NAT-T, enable it on the ASA? What are the commands for that?

Jon Marshall Tue, 02/05/2008 - 11:34


Apologies, been a little bit busy

1) IKE port UDP 500, 4500. IP PORT 50 - ESP

2) crypto isakmp nat-traversal



acheron69 Thu, 03/20/2008 - 16:10

You could have the ASA5510 place in parallel to the Hotbrick using the dual isp feature of it. Assign 1 IP from the T1 and DSL IP pool to outside and backup interface. The client vpn will have the T1 as primary vpn and DSL as backup.


This Discussion