help with Cisco VPN solution implemented on ASA

Unanswered Question
Apr 14th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I need help with VPN SSL solution design. My main questions are listed below.


Currently customer has 2 routers as vpn termination devices. One router is used to terminate the customer's employees and the other device terminates the partners session.

The customer would like to use the new SSL VPN solution from Cisco using ASA 5520. Instead of 2 vpn routers (existing solution), the customer would like to use one vpn termination device for three different types of users: employees with full access (SSL VPN with annyconnect client) , 3d parties /partners  with restricted access (SSL VPN with annyconnect client) and one connection to mobile office (Easy IPSec implemented on the cisco router). The authentication of users should be integrated into Active Directory of the customer.

The VPN ASA will be installed behind the firewall. The firewall translate the public ip address into private one.

1 Question: based on the best practice:  what to do with  un-encrypted traffic?  To send it  back to firewall or to connect directly to internal LAN?

2 Question: how to differentiate between employee and partner access since they use the same connection profile?  Is it possible to place them into different VLANs? Can I use only one public address or I need to use two different addresses: one is for employees and one -

for partners?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Wed, 04/14/2010 - 09:37
User Badges:
  • Purple, 4500 points or more

1. Best practices is to have the unencrypted traffic go through another DMZ to access internal resources. It can be on the same physical ASA, but it should be a new interface.


2. You can use an ACL to restrict the vendors on where they can go-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml


Hope that helps.

Actions

This Discussion