How to make FWSM work with ASA 5505 VPN

ciscobonze · ‎08-16-2009

hi, sorry to bother you guys on such a 'silly' question. I'm kind of new on network. here is my problem.

My logical network toplogy is like this: ISP-->FWSM on Cisco 6500-->F5-->Cisco 6500 switch. FWSM is working in transparetn mode. The static IP from ISP is allocated to F5. Now I'm required to deploy IPsec VPN with ASA 5505.

so, my question is that where I should setup this ASA 5505. I know the classic scenario is to allocate the static IP from ISP to ASA 5505, but in my case, it's been given to F5. How could i make it happen?

thanks a lot, guys

andrew.prince · ‎08-16-2009

Personally, I would have the ASA either before or in-line with the FWSM. If your license for the FWSM can allow you more than one context (not sure if you get more than 2 on a normal licence) then have your current context transparent, then creat another one for your VPN solution.

If multiple contexts are not for you - then I would place the ASA before the FWSM, and create specific vlans- depends on the ASA model and interfaces (not counting the trunking function)

JM2PW

HTH>

ciscobonze · ‎08-16-2009

Andrew, very grateful for your information.

Yes, we're able to do multiple contexts. So 'in-line' might be my choice. If I create a new context, how can i deal with the ingress interface? My ISP interface is already given to the existing context...

Is there any document that might help me out? thanks so much~

andrew.prince · ‎08-17-2009

Sorry I am a little confused - you said your FWSM is in transparent mode? So how/why is the ISP IP assigned to an interface?

andrew.prince · ‎08-17-2009

Have a look here:-

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmigration_09186a008078de90.pdf

HTH>

ciscobonze · ‎08-17-2009

sorry i didn't make it clear. My FWSM IS running in transprant mode, and the IP from ISP is not assigned to FWSM interface, but F5 Big-IP. I'll read the document you recommended, and any suggestion is appreciated.