VPN Router, where to place?

Answered Question
Jul 9th, 2008
User Badges:

I have a Cisco ASA doing NAT.

I have a 2801 with AIM VPN.

Should I place the external int of router outside of firewall and internal int of router in DMZ of ASA-then run IOS firewall on outside...or place the external int of router in DMZ of ASA and internal int of router in internal network-then do a one to one NAT to external int of router with ASA?? If I do the 2nd option, will I have headaches with NAT and IPSec tunnels? Specifically if I want to protect the public NAT'd IP address of servers in a DMZ instead of private so I don't have overlapping LANs....??

Thanks!

Correct Answer by Marwan ALshawi about 8 years 10 months ago

as i understood from ur sugestion that the ecrypted ipsec tuneel will go to the DMZ-1 to the router then after it got decrypted it go to the router inside interface then to the ASA dmz-2 finally to the asa inside interface toward the private network !


it is good for security but has cuple of disadvantages as u mentioned it will make higher performence on the firewall and it will consume more interfaces from and public ip adress

as i sujested before


and also it is sujested by sevral cisco security cources and design models

that is better to divide you network to security layer

so when you put the router in front of the fire wall it will considered as permiter router and at this stage you can allow only know good traffic (called security policy modle) and also terminate the vpn on it thus the vpn will go unencrypted to the firewall (the idea the same to urs) so the traffic of the vpn connection will proned to the firewall for inspection for example application inspection , additional packet filltering to the filltering done on the permiter router and mybe will be send to AIP-ssm IPS firewall model for signtures inspection ( called signture model that deny known bad traffic)

this is also will be part of security in depth deployment


thank you and rate if usefull


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
purohit_810 Wed, 07/09/2008 - 20:21
User Badges:
  • Silver, 250 points or more

Hi,


DMZ is the best place.


Thanks,

Dharmesh Purohit

Marwan ALshawi Wed, 07/09/2008 - 21:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

my sujestion to you as follow

put the router infront of the ASA and make it the termination point for VPN connection

with this way the connection from the vpn (wethier site-to-site or remote access vpn) will fllow through the Firewall as unencrypted traffic so you can monitor it, inspect it and fillter it more precisly,


dont forget to make the permit command statments for your vpn traffic on the router and ASA


also, you can move the nating to the router instead of the firewall


good luck and if you have any more question send it

rate if helpful

cisco24x7 Thu, 07/10/2008 - 02:44
User Badges:
  • Silver, 250 points or more

This is a typical design for most financial service companies:


- place the external interface of the vpn

router behind the ASA firewall dmz-1 but this

dmz will have public ip addresses,


- place the internal interface of the vpn

router behind the ASA firewall dmz-2 but this

dmz willhave private ip address,


This way the default gateway of the vpn router

points towward the firewall. Furthermore,

you can protect the VPN router with the ASA

and does not have to run IOS firewall feature

set on the router itself.


Ofcourse the down side of this is that both

encrypted and un-ecnrpted traffics will have

to traverse the firewall but if you have a

high performance firewall, it will not be

an issue.


that's my 2c.

Correct Answer
Marwan ALshawi Thu, 07/10/2008 - 03:26
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

as i understood from ur sugestion that the ecrypted ipsec tuneel will go to the DMZ-1 to the router then after it got decrypted it go to the router inside interface then to the ASA dmz-2 finally to the asa inside interface toward the private network !


it is good for security but has cuple of disadvantages as u mentioned it will make higher performence on the firewall and it will consume more interfaces from and public ip adress

as i sujested before


and also it is sujested by sevral cisco security cources and design models

that is better to divide you network to security layer

so when you put the router in front of the fire wall it will considered as permiter router and at this stage you can allow only know good traffic (called security policy modle) and also terminate the vpn on it thus the vpn will go unencrypted to the firewall (the idea the same to urs) so the traffic of the vpn connection will proned to the firewall for inspection for example application inspection , additional packet filltering to the filltering done on the permiter router and mybe will be send to AIP-ssm IPS firewall model for signtures inspection ( called signture model that deny known bad traffic)

this is also will be part of security in depth deployment


thank you and rate if usefull


trippi Thu, 07/10/2008 - 06:29
User Badges:

I already have a perimeter router outside of my ASA. This router will be dedicated for site to site VPNs. It has an AIM-VPN module.

It sounds like the best way to go is to place the external interface outside of ASA - there is a switch between external router and ASA.

If I go with placing the external interface of router in DMZ with a one to one NAT, would I be able to protect the NAT'd public IP address of say our web server??

trustcisco Thu, 07/10/2008 - 05:50
User Badges:

About cisco24x7 Suggestion:


How is this changed when you want to use dual asa's/router's for VPN failover/redundancy purposes ?

cisco24x7 Thu, 07/10/2008 - 11:33
User Badges:
  • Silver, 250 points or more

If you have dual routers for VPN, then you will

be talking about either GRE/IPSec or Stateful

IPSec sometimes referred to as InterProcess

Communication (IPC). If the remote side is

a Checkpoint firewall, then GRE/IPSec is not

an option but stateful IPSec is.


Regarding Stateful IPSec, I have used it in

my lab environment and I can say that it is

not very stable. Maybe Cisco has improved

this feature in 12.4T.

Marwan ALshawi Thu, 07/10/2008 - 18:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

no talways poeple use statefull or GRE for achieving this it is desirable and usefull to use routing protocols for high availablity and load sharing with vpn when you have more than one device also possible to use loadbalcing devices such as cisco CSM model with cat6500 series finally with asa it is possible to use vpn clusturing

not to mention HSRP and VRRP


thank you

cisco24x7 Fri, 07/11/2008 - 03:32
User Badges:
  • Silver, 250 points or more

"with asa it is possible to use vpn clusturing"


This is misleading. ASA in Active/Active

mode can NOT terminate IPSec, not sure

in version 8.x, but it can not terminate VPN

in active/active mode. Furthermore, it is also

misleading that in ASA Active/Active mode, you

can not load-sharing traffics on both ASA to

the same network behind the ASA. Active/Active

in ASA is similar to IOS HSRP.

Actions

This Discussion