Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
3
Replies

IPSec VPN to multiple partners.

Craig Norborg
Level 4
Level 4

‎09-10-2009 10:02 AM - edited ‎02-21-2020 04:19 PM

Hello, trying to figure out a good design for connecting multiple partners to our network. I currently have allocated to the task one router and one ASA5510. Having problems with my initial design concept and am looking for guidance on a new one.

The problem is this. We will need to connect to each partner via a different IPSec tunnel using pre-shared keys, each vendor might have different requirements for their tunnel, such as encryption type, etc. Each partner will then need to be ACL'd off to only allow access to those resources they've been approved for, or to allow our employees access to resources on their network(s). To one partner we might be able to just do simple PAT, allow all of our internal hosts to connect with a few of their hosts and share one outbound IP address. Another partner might require that we not use our internal RFC 1918 addresses, but instead provide them with public IP addresses and NAT them to our internal servers IP addresses.

I was thinking of using VLANS on the ASA and terminating each tunnel on a separate VLAN interface. But then while each partner would get its own "outside" interface for NAT, they would be sharing an "inside" interface.

Pretty new at this, looking for the best way to go on it. Any suggestions and/or configuration examples would be greatly appreciated!

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎09-10-2009 11:06 AM

The ASA can certainly handle all of that. I would terminate the VPN on the 'outside' connection and restrict each partner (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml).

0 Helpful

Craig Norborg
Level 4
Level 4
In response to Collin Clark

‎09-10-2009 12:34 PM

Hmm... We already have something similar to this for our client based VPN solution. Maybe I wasn't clear enough that this is a site-to-site VPN I'm working on now. So these partners will be connected 24x7 and will not have distinct client sessions that I can apply a policy to.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎09-10-2009 11:50 AM

Each partner connection would be distinct though correct? You can then apply group policy to each of those. Or am I still not understanding something?

0 Helpful
Customers Also Viewed These Support Documents