ASA 5510 Placement for VPN

Unanswered Question
Oct 15th, 2009

I am looking to use an ASA 5510 as a VPN device only (similar to the old VPN Concentrator) We already have an ASA5510 acting as a firewall to the internet from our central office. We also have a MPLS network to 7 other locations, and they all go through the Central Office for internet access. I will have VPN client users, and site to site VPNs connecting to the CO, and will need to access hosts in other sites in the MPLS network, as well as hosts in the CO. I am confused on where I should place my VPN ASA. I was thinking that I should put it at the same level of my Firewall ASA, but then I am not sure what I need to use as far as routing to make sure my traffic is able to flow properly. It would not let me post an attachment, so here is a link of the CO and MPLS general setup.

http://www.asicorp.us/ciscolayout.jpg

Any insight would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
asafayan Thu, 10/15/2009 - 16:38

We have a similar scenario and we run our VPN device in parallel to our firewall.

So that I understand what you are trying to accomplish - you stated you will have site to site VPNs connecting to this ASA dedicated to VPN. Will those L2L tunnels act as backup routes to your primary MPLS network or will they service sites separate from your MPLS network?

Anonymous (not verified) Tue, 10/20/2009 - 12:19

asafayan Fri, 10/16/2009 - 08:09

Hi,

He is using an ASA as his VPN device therefore, I would think that placing the ASA(for VPN usage) in parallel with his corporate firewall would be fine verses placing his ASA's (for VPN usage) inside interface on the DMZ segment of his corporate firewall ASA.

Regards,

Amir

Collin Clark Fri, 10/16/2009 - 10:47

It's for security reasons. Read the SRND or talk to a Cisco SE and this is their preferred way. It's the way deploy them as well.

Anonymous (not verified) Thu, 10/22/2009 - 09:08

Actions

This Discussion