Adding ASA 5510 as a RAS VPN gateway into the existing network topology

Answered Question
Apr 17th, 2010
User Badges:

Hello,

I'd like to add Cisco ASA 5510 into the existing firewall and network topology for having Cisco RAS VPN access possibility too.

I don't want to use it as a firewall, when not necessary, but only for the RAS access. I cannot imagine now , where in the network should be placed.

Existing topology has a firewal including DMZ, firewall's internal interface serves as an default gateway  for the internal network as usually.

Sorry for the basic question, but Cisco is brand new for me. Last time I tested CP Connectra for that, it just sat in the DMZ with one (DMZ) public IP

Does ASA allow the same ?

Correct Answer by Jennifer Halim about 6 years 11 months ago

There are a couple of scenario you can configure:

1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.


2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Sat, 04/17/2010 - 02:32
User Badges:
  • Cisco Employee,

Yes, you can definitely sit the ASA in DMZ.

All you need to do for your internal routing is to point routes towards the remote LAN, and/or vpn client ip pool subnet towards the ASA.


I would have the following topology:


Internal LAN -- (inside) firewall (outside) ---- Internet

        |                          (dmz)

        |                              |

         --------------------- ASA VPN


Hope that helps.

lkovar Sat, 04/17/2010 - 09:14
User Badges:

Hi,

thanks a lot, but I still didn't get it. Would you mind to elaborate the example ?  I really appreciate.

Separate IP segment for VPN pool and ASA internal interface as a gateway to them ? Specific routes on all servers to that segment ?

Correct Answer
Jennifer Halim Sun, 04/18/2010 - 05:57
User Badges:
  • Cisco Employee,

There are a couple of scenario you can configure:

1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.


2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.


Hope that helps.

lkovar Sun, 04/18/2010 - 13:08
User Badges:

Hi

thanks a lot, it definitely helps. Scenario #1 is perfectly suitable. Just curious, is there any one-interface (DMZ) scenario , like by Connectra ? Should I use different Cisco product for that ? This is just a demo I borrowed.

Jennifer Halim Sun, 04/18/2010 - 16:41
User Badges:
  • Cisco Employee,

It is not recommended to just use 1 interface of the ASA both for VPN termination as well as routing the clear text traffic (more possibility of having asymmetric routing that would be blocked on the ASA). Scenario# 1 would be as easy to configure.

Alternatively, you can use a router for VPN termination if you just want to use 1 interface. But I still think using separate interfaces as scenario#1 would be much neater and more secure.

Actions

This Discussion