ASA VPN network design

paa · ‎01-11-2009

Hi! I have read many documents about network design on SRND site, but I haven't read about ASA VPN design.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/IPSec_Over.html - all VPN terminates on routers

http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html - VPN terminates on routers, ASA are just firewall.

What is a right network design if I want to terminate VPN on ASA?

JORGE RODRIGUEZ · ‎01-11-2009

Think of VPN design discribed in your great links as a concept/guideline that can also be applied to ASA5500 appliences

in your infrastructure internet EDGE-parameter when using VPN technologies.

There are very common design examples in this link for ASA appiences

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

L2TP over IPSec

Remote Access VPN

Easy VPN

SSL VPN/Web VPN

Site to Site VPN (L2L) with ASA

Site to Site VPN (L2L) with IOS

Site to Site VPN (L2L) with VPN3000

VPN with Non-Cisco Devices

Regards

Jorge Rodriguez

cscbrannent · ‎01-11-2009

We have our ASA's in vpn load balanced design, parallel to our firewall terminating SSL VPN sessions with an RSA Authentication server providing user authentication via RADIUS.

All the VPN clients get their own IP address from a pool configured on the ASA and then we use ACL's to permit access from the vpn net to the inside nets. We can granularly control access if we so desire.

Hope this helps.