Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
4
Replies

ASA/1841 Design Question

rschmidt73
Level 1
Level 1

‎07-20-2009 12:50 PM

I'm currently terminating a DMVPN on an 1841 connected to our new ISP. We recently purchased an ASA5510 to terminate/replace our IPSEC client VPN on an old ISP. I'm wondering what would be the best practice would be to install? Have the 1841 outward facing with the ASA behind or have the ASA on the outside with the DMVPN router behind that. Please keep in mind that we wil be utilizing the new ISP for everything going forward. Thanks

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎07-20-2009 01:02 PM

Can you have the them each on the outside? Meaning that both the ASA and the router have a public IP. The "inside" of the router would be on a DMZ of the ASA. The inside of the ASA would be your internal LAN. This is a pretty standard setup. If you have the ASA in front of the router, you have to poke holes open and pass public IP's. Not impossible, but a pain to troubleshoot. If you have the router first, you'll have unencrypted traffic outside your firewall.

Hope that helps.

0 Helpful

rschmidt73
Level 1
Level 1
In response to Collin Clark

‎07-20-2009 01:23 PM

Thanks, I guess I was most concerned with the traffic from the DMVPN (1841) if it was placed behined the ASA. I realize I'll need play ACL boy with this one. I see what you are saying with the interfaces and how they should be configured.

0 Helpful

mitchmahan87
Level 1
Level 1
In response to rschmidt73

‎07-30-2009 10:58 AM

Didnt you ask this same question in irc.freenode.net? #cisco

I agree, it would be best to have them in a parallel configuration.

If that is not possible I would prefer, if I had to have it one way or the other, the router in front of the ASA.

0 Helpful

mkorourke
Level 1
Level 1

‎08-01-2009 12:05 AM

Design being design theirs always multiple aspects and scenario's, all having their benefits\limitations. Personally I would have the DMVPN behind the ASA, the ASA functioning as a single entry point or border firewall (removing the client vpn function) and providing additional access control back to the DMVPN 1841 if needed + adding client vpn functionality (assuming hardware encryption performance needs etc are covered), 1-1 NAT and other aspects are possible so NAT-T etc shouldn't be required, and (it's to some degree) one less major operational head-ache to worry about. Yet considering that the the old\new requirement it may be best to have both in parallel while you transisiton (dependent on how you do your routing), and perhaps consider reducing your footprint and implementing better control mechanisms later. It's a shame the ASA does not support IPSEC in context mode, having an border ASA with both the VPN Client ASA and split DMVPN 1841 being that a more desirable scenario.

0 Helpful
Customers Also Viewed These Support Documents