07-09-2008 02:29 PM
I have a Cisco ASA doing NAT.
I have a 2801 with AIM VPN.
Should I place the external int of router outside of firewall and internal int of router in DMZ of ASA-then run IOS firewall on outside...or place the external int of router in DMZ of ASA and internal int of router in internal network-then do a one to one NAT to external int of router with ASA?? If I do the 2nd option, will I have headaches with NAT and IPSec tunnels? Specifically if I want to protect the public NAT'd IP address of servers in a DMZ instead of private so I don't have overlapping LANs....??
Thanks!
Solved! Go to Solution.
07-10-2008 03:26 AM
as i understood from ur sugestion that the ecrypted ipsec tuneel will go to the DMZ-1 to the router then after it got decrypted it go to the router inside interface then to the ASA dmz-2 finally to the asa inside interface toward the private network !
it is good for security but has cuple of disadvantages as u mentioned it will make higher performence on the firewall and it will consume more interfaces from and public ip adress
as i sujested before
and also it is sujested by sevral cisco security cources and design models
that is better to divide you network to security layer
so when you put the router in front of the fire wall it will considered as permiter router and at this stage you can allow only know good traffic (called security policy modle) and also terminate the vpn on it thus the vpn will go unencrypted to the firewall (the idea the same to urs) so the traffic of the vpn connection will proned to the firewall for inspection for example application inspection , additional packet filltering to the filltering done on the permiter router and mybe will be send to AIP-ssm IPS firewall model for signtures inspection ( called signture model that deny known bad traffic)
this is also will be part of security in depth deployment
thank you and rate if usefull
07-09-2008 08:21 PM
Hi,
DMZ is the best place.
Thanks,
Dharmesh Purohit
07-09-2008 09:28 PM
my sujestion to you as follow
put the router infront of the ASA and make it the termination point for VPN connection
with this way the connection from the vpn (wethier site-to-site or remote access vpn) will fllow through the Firewall as unencrypted traffic so you can monitor it, inspect it and fillter it more precisly,
dont forget to make the permit command statments for your vpn traffic on the router and ASA
also, you can move the nating to the router instead of the firewall
good luck and if you have any more question send it
rate if helpful
07-10-2008 02:44 AM
This is a typical design for most financial service companies:
- place the external interface of the vpn
router behind the ASA firewall dmz-1 but this
dmz will have public ip addresses,
- place the internal interface of the vpn
router behind the ASA firewall dmz-2 but this
dmz willhave private ip address,
This way the default gateway of the vpn router
points towward the firewall. Furthermore,
you can protect the VPN router with the ASA
and does not have to run IOS firewall feature
set on the router itself.
Ofcourse the down side of this is that both
encrypted and un-ecnrpted traffics will have
to traverse the firewall but if you have a
high performance firewall, it will not be
an issue.
that's my 2c.
07-10-2008 03:26 AM
as i understood from ur sugestion that the ecrypted ipsec tuneel will go to the DMZ-1 to the router then after it got decrypted it go to the router inside interface then to the ASA dmz-2 finally to the asa inside interface toward the private network !
it is good for security but has cuple of disadvantages as u mentioned it will make higher performence on the firewall and it will consume more interfaces from and public ip adress
as i sujested before
and also it is sujested by sevral cisco security cources and design models
that is better to divide you network to security layer
so when you put the router in front of the fire wall it will considered as permiter router and at this stage you can allow only know good traffic (called security policy modle) and also terminate the vpn on it thus the vpn will go unencrypted to the firewall (the idea the same to urs) so the traffic of the vpn connection will proned to the firewall for inspection for example application inspection , additional packet filltering to the filltering done on the permiter router and mybe will be send to AIP-ssm IPS firewall model for signtures inspection ( called signture model that deny known bad traffic)
this is also will be part of security in depth deployment
thank you and rate if usefull
07-10-2008 06:29 AM
I already have a perimeter router outside of my ASA. This router will be dedicated for site to site VPNs. It has an AIM-VPN module.
It sounds like the best way to go is to place the external interface outside of ASA - there is a switch between external router and ASA.
If I go with placing the external interface of router in DMZ with a one to one NAT, would I be able to protect the NAT'd public IP address of say our web server??
07-10-2008 05:50 AM
About cisco24x7 Suggestion:
How is this changed when you want to use dual asa's/router's for VPN failover/redundancy purposes ?
07-10-2008 11:33 AM
If you have dual routers for VPN, then you will
be talking about either GRE/IPSec or Stateful
IPSec sometimes referred to as InterProcess
Communication (IPC). If the remote side is
a Checkpoint firewall, then GRE/IPSec is not
an option but stateful IPSec is.
Regarding Stateful IPSec, I have used it in
my lab environment and I can say that it is
not very stable. Maybe Cisco has improved
this feature in 12.4T.
07-10-2008 06:24 PM
no talways poeple use statefull or GRE for achieving this it is desirable and usefull to use routing protocols for high availablity and load sharing with vpn when you have more than one device also possible to use loadbalcing devices such as cisco CSM model with cat6500 series finally with asa it is possible to use vpn clusturing
not to mention HSRP and VRRP
thank you
07-11-2008 03:32 AM
"with asa it is possible to use vpn clusturing"
This is misleading. ASA in Active/Active
mode can NOT terminate IPSec, not sure
in version 8.x, but it can not terminate VPN
in active/active mode. Furthermore, it is also
misleading that in ASA Active/Active mode, you
can not load-sharing traffics on both ASA to
the same network behind the ASA. Active/Active
in ASA is similar to IOS HSRP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: