ASA VPN question

Unanswered Question

I'm getting ready to move our VPN connections from the VPN Concentrator to our ASA which is also our internet firewall. My question is, does it make sense to connect one of the ASA's unused ports to the DMZ and use that as the VPN port or just configure VPN to come in to the outside interface (which is already plugged in to the DMZ anyway)? My thought was to plug in a new port with a new IP to keep VPN traffic seperate from other internet traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 09/20/2008 - 03:57
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

this is depends if u have another ISP connection !


if u have two ISPs u can make two interfaces and give vpn users the secondary ISP public IP and use the primary one for outbound internet traffic

but if u have only one interface with one ISP

u must use only ur outside interface


good luck


if helpful Rate

cisco24x7 Sat, 09/20/2008 - 06:02
User Badges:
  • Silver, 250 points or more

Marwanshawi,


Have you ever implemented this in a production

environment and that it works without any

glitches? I am interested to know.

Marwan ALshawi Sat, 09/20/2008 - 06:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hi david


the idea is

lets say u have two ISPs connections

we know with ASA we cant do loadbalancing but we can make links work in primary and backup manaer

u can u se ISP1 as the exit point for outbound traffic throut for example

route outside 0 0 [ISP1]

route outside2 0 0 [ISP] [higher metric]


now ISP1 prefered

if goes down ISP2 will be used

for load sharing u can but not must

give the VPN users the public IP address of the link with ISP2

in the case lets say both ISP links operational then outbound traffic will be through ISP1 and VPN through ISP2


which is good

but if u have one link i mean one exit point to the internet you wont be able to impliment it


the link for ASA with two ISPs:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


good luck

if helpful Rate

cisco24x7 Sat, 09/20/2008 - 07:19
User Badges:
  • Silver, 250 points or more

I am very well aware of this. But the question

he asked is that he want to separate VPN users

traffics from other Internet traffics. By that,

I assume he means "inbound" traffics.


In other words, he want "inbound" internet

traffics to use the primary link while the VPN

users will be using secondary link for

"inbound"' VPN traffics?


I just dont see how that is possible.


The link you described is for outbound

traffics. VPN traffics is inbound.

Marwan ALshawi Sat, 09/20/2008 - 07:23
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the link is the half way

the link let u configure the redandunt links

then u need to setup the vpn and use the secondary interface for the vpn and give the vpn client the secondary public ip address in this case the vpn inbound and communication will be through the secondary ISP (interface) while other traffic like outbound intternet will be normaly through the primary and if the primary gos down will be through the secondary


hope this time clear :)

cisco24x7 Sat, 09/20/2008 - 07:34
User Badges:
  • Silver, 250 points or more

That goes back to the question I had before.

Have you implemented this in a production

network and that it works without any glitches?


I am very skeptical of these configurations and

that I am sure there are lot of caveats that

will come with this.

Marwan ALshawi Sat, 09/20/2008 - 07:37
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

why?

Well my question actually was to seperate only VPN traffic to a different interface. I have a /24 block of IPs from our ISP, so this second interface would still go through the same ISP but have a differnet IP address. Then I'd set up DNS to point to that IP for VPN only. All outbound internet trafffic (and other inbound traffic like mail) would still go through the other primary interface.

Actions

This Discussion