ASA 5510 Placement for VPN

Unanswered Question
Oct 15th, 2009
User Badges:
  • Bronze, 100 points or more

I am looking to use an ASA 5510 as a VPN device only (similar to the old VPN Concentrator) We already have an ASA5510 acting as a firewall to the internet from our central office. We also have a MPLS network to 7 other locations, and they all go through the Central Office for internet access. I will have VPN client users, and site to site VPNs connecting to the CO, and will need to access hosts in other sites in the MPLS network, as well as hosts in the CO. I am confused on where I should place my VPN ASA. I was thinking that I should put it at the same level of my Firewall ASA, but then I am not sure what I need to use as far as routing to make sure my traffic is able to flow properly. It would not let me post an attachment, so here is a link of the CO and MPLS general setup.

Any insight would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
asafayan Thu, 10/15/2009 - 16:38
User Badges:

We have a similar scenario and we run our VPN device in parallel to our firewall.

So that I understand what you are trying to accomplish - you stated you will have site to site VPNs connecting to this ASA dedicated to VPN. Will those L2L tunnels act as backup routes to your primary MPLS network or will they service sites separate from your MPLS network?

Anonymous (not verified) Tue, 10/20/2009 - 12:19
User Badges:

Collin Clark Fri, 10/16/2009 - 06:01
User Badges:
  • Purple, 4500 points or more

Cisco's suggested way is to have the outside interface on the public network, the inside interface connect to the dmz interface of the CORP firewall. I've attached a diagram. Also here is the SRND for security (best practices).

asafayan Fri, 10/16/2009 - 08:09
User Badges:


He is using an ASA as his VPN device therefore, I would think that placing the ASA(for VPN usage) in parallel with his corporate firewall would be fine verses placing his ASA's (for VPN usage) inside interface on the DMZ segment of his corporate firewall ASA.



Collin Clark Fri, 10/16/2009 - 10:47
User Badges:
  • Purple, 4500 points or more

It's for security reasons. Read the SRND or talk to a Cisco SE and this is their preferred way. It's the way deploy them as well.

Anonymous (not verified) Thu, 10/22/2009 - 09:08
User Badges:


This Discussion