ASA VPN question

Unanswered Question

I'm getting ready to move our VPN connections from the VPN Concentrator to our ASA which is also our internet firewall. My question is, does it make sense to connect one of the ASA's unused ports to the DMZ and use that as the VPN port or just configure VPN to come in to the outside interface (which is already plugged in to the DMZ anyway)? My thought was to plug in a new port with a new IP to keep VPN traffic seperate from other internet traffic.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 09/20/2008 - 03:57

this is depends if u have another ISP connection !

if u have two ISPs u can make two interfaces and give vpn users the secondary ISP public IP and use the primary one for outbound internet traffic

but if u have only one interface with one ISP

u must use only ur outside interface

good luck

if helpful Rate

cisco24x7 Sat, 09/20/2008 - 06:02

Marwanshawi,

Have you ever implemented this in a production

environment and that it works without any

glitches? I am interested to know.

Marwan ALshawi Sat, 09/20/2008 - 06:38

hi david

the idea is

lets say u have two ISPs connections

we know with ASA we cant do loadbalancing but we can make links work in primary and backup manaer

u can u se ISP1 as the exit point for outbound traffic throut for example

route outside 0 0 [ISP1]

route outside2 0 0 [ISP] [higher metric]

now ISP1 prefered

if goes down ISP2 will be used

for load sharing u can but not must

give the VPN users the public IP address of the link with ISP2

in the case lets say both ISP links operational then outbound traffic will be through ISP1 and VPN through ISP2

which is good

but if u have one link i mean one exit point to the internet you wont be able to impliment it

the link for ASA with two ISPs:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

good luck

if helpful Rate

cisco24x7 Sat, 09/20/2008 - 07:19

I am very well aware of this. But the question

he asked is that he want to separate VPN users

traffics from other Internet traffics. By that,

I assume he means "inbound" traffics.

In other words, he want "inbound" internet

traffics to use the primary link while the VPN

users will be using secondary link for

"inbound"' VPN traffics?

I just dont see how that is possible.

The link you described is for outbound

traffics. VPN traffics is inbound.

Marwan ALshawi Sat, 09/20/2008 - 07:23

the link is the half way

the link let u configure the redandunt links

then u need to setup the vpn and use the secondary interface for the vpn and give the vpn client the secondary public ip address in this case the vpn inbound and communication will be through the secondary ISP (interface) while other traffic like outbound intternet will be normaly through the primary and if the primary gos down will be through the secondary

hope this time clear :)

cisco24x7 Sat, 09/20/2008 - 07:34

That goes back to the question I had before.

Have you implemented this in a production

network and that it works without any glitches?

I am very skeptical of these configurations and

that I am sure there are lot of caveats that

will come with this.

Well my question actually was to seperate only VPN traffic to a different interface. I have a /24 block of IPs from our ISP, so this second interface would still go through the same ISP but have a differnet IP address. Then I'd set up DNS to point to that IP for VPN only. All outbound internet trafffic (and other inbound traffic like mail) would still go through the other primary interface.

Actions

This Discussion