09-19-2008 06:24 AM - edited 03-11-2019 06:46 AM
I'm getting ready to move our VPN connections from the VPN Concentrator to our ASA which is also our internet firewall. My question is, does it make sense to connect one of the ASA's unused ports to the DMZ and use that as the VPN port or just configure VPN to come in to the outside interface (which is already plugged in to the DMZ anyway)? My thought was to plug in a new port with a new IP to keep VPN traffic seperate from other internet traffic.
09-20-2008 03:57 AM
this is depends if u have another ISP connection !
if u have two ISPs u can make two interfaces and give vpn users the secondary ISP public IP and use the primary one for outbound internet traffic
but if u have only one interface with one ISP
u must use only ur outside interface
good luck
if helpful Rate
09-20-2008 06:02 AM
Marwanshawi,
Have you ever implemented this in a production
environment and that it works without any
glitches? I am interested to know.
09-20-2008 06:38 AM
hi david
the idea is
lets say u have two ISPs connections
we know with ASA we cant do loadbalancing but we can make links work in primary and backup manaer
u can u se ISP1 as the exit point for outbound traffic throut for example
route outside 0 0 [ISP1]
route outside2 0 0 [ISP] [higher metric]
now ISP1 prefered
if goes down ISP2 will be used
for load sharing u can but not must
give the VPN users the public IP address of the link with ISP2
in the case lets say both ISP links operational then outbound traffic will be through ISP1 and VPN through ISP2
which is good
but if u have one link i mean one exit point to the internet you wont be able to impliment it
the link for ASA with two ISPs:
good luck
if helpful Rate
09-20-2008 07:19 AM
I am very well aware of this. But the question
he asked is that he want to separate VPN users
traffics from other Internet traffics. By that,
I assume he means "inbound" traffics.
In other words, he want "inbound" internet
traffics to use the primary link while the VPN
users will be using secondary link for
"inbound"' VPN traffics?
I just dont see how that is possible.
The link you described is for outbound
traffics. VPN traffics is inbound.
09-20-2008 07:23 AM
the link is the half way
the link let u configure the redandunt links
then u need to setup the vpn and use the secondary interface for the vpn and give the vpn client the secondary public ip address in this case the vpn inbound and communication will be through the secondary ISP (interface) while other traffic like outbound intternet will be normaly through the primary and if the primary gos down will be through the secondary
hope this time clear :)
09-20-2008 07:34 AM
That goes back to the question I had before.
Have you implemented this in a production
network and that it works without any glitches?
I am very skeptical of these configurations and
that I am sure there are lot of caveats that
will come with this.
09-20-2008 07:37 AM
why?
09-22-2008 05:46 AM
Well my question actually was to seperate only VPN traffic to a different interface. I have a /24 block of IPs from our ISP, so this second interface would still go through the same ISP but have a differnet IP address. Then I'd set up DNS to point to that IP for VPN only. All outbound internet trafffic (and other inbound traffic like mail) would still go through the other primary interface.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: