Combining two PIX's to one ASA

dprakken1 · ‎09-16-2009

Hi,

I need a little sanity check please. I want to consolidate two PIX's onto a single ASA. Each PIX currently has an IPSEC VPN that terminates on the same remote peer (our ePoP VPN router).

The plan is to have interesting traffic for both local subnets added to the crypto ACL.

Currently working is:

PIX-1 10.10.10.10 --> (inside interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 10 permit ip 10.10.10.0 255.255.255.0 any

PIX-2 20.20.20.20 --> (inside interface) --> 1.1.1.2 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 20 permit ip 20.20.10.0 255.255.255.0 any

I want to do:

ASA-1 10.10.10.10 --> (DMZ-1interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

ASA-1 20.20.20.20 --> (DMZ-2 interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 10 permit ip 10.10.10.0 255.255.255.0 any

access-list 20 permit ip 20.20.10.0 255.255.255.0 any

Does anyone see any challenges with this?

Thanks, Dave

andrew.prince · ‎09-22-2009

Dave,

Personally you interesting traffic will be initialised whenever a packet from either LAN hits the PIX/ASA.

I would specify in both ACL's the remote IP subnet - just to make things clear.

Other than that - you are correct in the way you are going.

HTH>