Redundant VPN ASA Design Question

Unanswered Question
Sep 18th, 2009
User Badges:

I'm installing some new ASA 5520's which will be used strictly for VPN connections (both lan-to-lan and client connections).


I have some questions about the best way to setup redundancy and failover and integrate it into our network. I've attached a diagram to help describe the scenario. I failed to indicate on the diagram that clients who connect to the ASA's will be assigned an address via DHCP on the VLAN which the inside interfaces of the ASA's connect to.


ASA-A and ASA-B are setup as active/standby, with ASA-A being active. There is a default route on the ASA's which point to an HSRP address on our Internet routers. I do not want to use OSPF on the outside interfaces of the ASA's as I do not want these ASA's to be able to route from our internal network out to the Internet as we have other firewalls to handle that. So essentially, the ASA's have a route of 0.0.0.0/0 which points to the HSRP address which is on the ethernet interface(s) of our Internet routers. This part of the design works fine.


My concerns are about handling the inside interfaces of the ASA's. There are a couple of ways this could be done.


A) ASA-A and ASA-B can be connected to the same VLAN on both core switches, and that VLAN will be trunked between the cores. I could then add static routes on the ASA's for our internal address space which point to an HSRP address on the layer3 VLAN's on our cores. I would also add static routes on our core switches for site-to-site VPN connections.


B) I can run OSPF on the VLAN on the core switches, and also on the ASA's. The problem I have with this design is that the core switches will neighbor each other through OSPF as well, they are already neighbors on another VLAN, and I don't want them to be neighbors on multiple VLANs. The advantage to this design though is that I believe RRI can added routes to our core network via OSPF for our site-to-site tunnels. I've not used RRI though, and I'm not sure it works as I think it does. Can anyone confirm it can do this? Also, is there an easy way to prevent the core switches from neighboring each other?


Does anyone know what the best practice is for connecting the ASA's for VPN to an internal network? I know there are many ways to solve this problem, and I may have overlooked some, but what is the best practice? Did I miss something which is obvious and a better solution?


Thanks in advance!


-Steve



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
bapatsubodh Sun, 09/20/2009 - 06:16
User Badges:

Hi Steve,

In my opinion option A that is adding static route on the ASA should be good.

The internal subnets those you want to make available to remote VPN users through split tunneling will be pointing towards L3 switch HSRP, and the Subnet that vpns user will get the IP adddress will point to internet routers HSRP.

Running OSPF may complicate the design.

We have configured almost similar setup with static routes and it works fine.

Hope this helps. Please rate if possible.

Subodh







sbader48220 Sun, 09/20/2009 - 08:03
User Badges:

Hi Subodh,


Thanks for your response! I was leaning towards the static route idea because it was the simplest and cleanest in my opinion. I will add static routes on the ASA for our internal subnets, and on our internal layer3 switches, I'll add static routes for the site-to-site tunnels which point to the ASA.


Thanks again!


-Steve

Actions

This Discussion