changing VPN solutions to ASA5520

Unanswered Question
bwilmoth Mon, 04/07/2008 - 06:53

With PIX/ASA version 7.0 and later, a new feature is introduced that allows the PIX to support hairpinning in a VPN environment.

When the PIX/ASA is the hub in a VPN environment, this feature supports spoke-to-spoke VPN communications as it provides the ability for encrypted traffic to enter and leave the same interface. If the traffic is un-encrypted, it is dropped.There is another new feature in PIX version 7.0 that allows traffic to flow between two interfaces of the PIX that have the same security level

You can get more information regarding ASA 5520 from this link

http://www.cisco.com/en/US/products/ps6120/prod_installation_guides_list.html

Darthkim_2 Sun, 04/13/2008 - 13:22

We are in the process of migrating form a Nortel Contivity 2700 series to two 5520 ASA's.

In the process, we decided to move from IPSEC to SSL VPN.

Some notes:

- Makes sure that you are on at least 8.0.3(9) version. It fixes alot of issues with the SSL VPN.

- There some routing things that could be done on the Nortel, that cannot be done on the ASA. It's not a dealbreaker, but it has to do with the fundamental design of the ASA (as a security device) vs Contivity (Router + Security device)

- in SSL VPN mode, make sure to test all your apps with the default DTLS option. We ended up running into problems with our outlook clients and SAP Gui clients. Disabling DTLS sped up performance tremendously.

Good Luck!

Actions

This Discussion