ASA/1841 Design Question

Unanswered Question
Jul 20th, 2009
User Badges:

I'm currently terminating a DMVPN on an 1841 connected to our new ISP. We recently purchased an ASA5510 to terminate/replace our IPSEC client VPN on an old ISP. I'm wondering what would be the best practice would be to install? Have the 1841 outward facing with the ASA behind or have the ASA on the outside with the DMVPN router behind that. Please keep in mind that we wil be utilizing the new ISP for everything going forward. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Mon, 07/20/2009 - 13:02
User Badges:
  • Purple, 4500 points or more

Can you have the them each on the outside? Meaning that both the ASA and the router have a public IP. The "inside" of the router would be on a DMZ of the ASA. The inside of the ASA would be your internal LAN. This is a pretty standard setup. If you have the ASA in front of the router, you have to poke holes open and pass public IP's. Not impossible, but a pain to troubleshoot. If you have the router first, you'll have unencrypted traffic outside your firewall.

Hope that helps.

rschmidt73 Mon, 07/20/2009 - 13:23
User Badges:

Thanks, I guess I was most concerned with the traffic from the DMVPN (1841) if it was placed behined the ASA. I realize I'll need play ACL boy with this one. I see what you are saying with the interfaces and how they should be configured.

mitchmahan87 Thu, 07/30/2009 - 10:58
User Badges:

Didnt you ask this same question in #cisco

I agree, it would be best to have them in a parallel configuration.

If that is not possible I would prefer, if I had to have it one way or the other, the router in front of the ASA.

mkorourke Sat, 08/01/2009 - 00:05
User Badges:

Design being design theirs always multiple aspects and scenario's, all having their benefits\limitations. Personally I would have the DMVPN behind the ASA, the ASA functioning as a single entry point or border firewall (removing the client vpn function) and providing additional access control back to the DMVPN 1841 if needed + adding client vpn functionality (assuming hardware encryption performance needs etc are covered), 1-1 NAT and other aspects are possible so NAT-T etc shouldn't be required, and (it's to some degree) one less major operational head-ache to worry about. Yet considering that the the old\new requirement it may be best to have both in parallel while you transisiton (dependent on how you do your routing), and perhaps consider reducing your footprint and implementing better control mechanisms later. It's a shame the ASA does not support IPSEC in context mode, having an border ASA with both the VPN Client ASA and split DMVPN 1841 being that a more desirable scenario.


This Discussion