Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2874
Views
0
Helpful
6
Replies

Adding ASA 5510 as a RAS VPN gateway into the existing network topology

Go to solution
lkovar
Level 1
Level 1

‎04-17-2010 12:14 AM

Hello,

I'd like to add Cisco ASA 5510 into the existing firewall and network topology for having Cisco RAS VPN access possibility too.

I don't want to use it as a firewall, when not necessary, but only for the RAS access. I cannot imagine now , where in the network should be placed.

Existing topology has a firewal including DMZ, firewall's internal interface serves as an default gateway  for the internal network as usually.

Sorry for the basic question, but Cisco is brand new for me. Last time I tested CP Connectra for that, it just sat in the DMZ with one (DMZ) public IP

Does ASA allow the same ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lkovar

‎04-18-2010 05:57 AM

There are a couple of scenario you can configure:

1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.

2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.

Hope that helps.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-17-2010 02:32 AM

Yes, you can definitely sit the ASA in DMZ.

All you need to do for your internal routing is to point routes towards the remote LAN, and/or vpn client ip pool subnet towards the ASA.

I would have the following topology:

Internal LAN -- (inside) firewall (outside) ---- Internet

        |                          (dmz)

        |                              |

         --------------------- ASA VPN

Hope that helps.

0 Helpful

Go to solution
lkovar
Level 1
Level 1
In response to Jennifer Halim

‎04-17-2010 09:14 AM

Hi,

thanks a lot, but I still didn't get it. Would you mind to elaborate the example ?  I really appreciate.

Separate IP segment for VPN pool and ASA internal interface as a gateway to them ? Specific routes on all servers to that segment ?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lkovar

‎04-18-2010 05:57 AM

There are a couple of scenario you can configure:

1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.

2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.

Hope that helps.

0 Helpful

Go to solution
lkovar
Level 1
Level 1
In response to Jennifer Halim

‎04-18-2010 01:08 PM

Hi

thanks a lot, it definitely helps. Scenario #1 is perfectly suitable. Just curious, is there any one-interface (DMZ) scenario , like by Connectra ? Should I use different Cisco product for that ? This is just a demo I borrowed.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lkovar

‎04-18-2010 04:41 PM

It is not recommended to just use 1 interface of the ASA both for VPN termination as well as routing the clear text traffic (more possibility of having asymmetric routing that would be blocked on the ASA). Scenario# 1 would be as easy to configure.

Alternatively, you can use a router for VPN termination if you just want to use 1 interface. But I still think using separate interfaces as scenario#1 would be much neater and more secure.

0 Helpful

Go to solution
lkovar
Level 1
Level 1
In response to Jennifer Halim

‎04-18-2010 10:58 PM

Thanks a lot !

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents