ASA as both VPN end-point and Authentication front-end

Unanswered Question

Hello Experts,

I have a fundamental design question.

I have a fairly large mobile population (cellular, wifi hotspots, etc) that need to access to access company resources. VPN is not an option for this user population due to the nature of devices.

Assuming I have this user population that uses a cellular network (private APN) and terminates on the cellular cloud. From the cellular cloud I want to build a site to site VPN to the company headend (ASA).

Step 1.

I want to be able to provide a re-directed web page (on the ASA ) for the user to present credentials.

Step 2.

From the ASA I want authenticate the user via RADIUS/AD

Step 3.

Based on the type of the user (returned from RADIUS), I want to allow certain IP Addresses and protocols.

The question I have is, do I need to use 2 ASA's. One for VPN and the other for the Authentication.

Has anyone implemented this scenario and willing to share config ideas.

Is there a better way to do this.

Appreciate your responses.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Thu, 05/13/2010 - 19:06
User Badges:
  • Cisco Employee,


I don't know what do you mean by cellular cloud, Can this clould can serve as a firewall for you because site to site vpn tunnel can only be created either between firewall to fireall or firewall to router.

Scenario 1 ## If your have asked this questions in regards to both site to site vpn tunnel and web page authentication for users behind the ASA then yes you should have two firewalls (ASA) to achieve this.

Scenario 2 ##  If you can create tunnel between your cellular cloud and headend ASA and you are only concern about web page authentication for internal users then the headend device can solve both the issues.

If you want that users should be re-directed web page (on the ASA ) to enter their credentials before they access anything on the internet then this can be done by cut-through proxy.

You may view the below listed link for cut through proxy:

PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example



Do rate helpul posts-

Hi JK,

First of all, thanks for replying. I think I said somethings wrong.

When I mean Cellular cloud, yes it is going to be a GGSN or a PDSN on the cellular cloud that will initiate a VPN tunnel and serve as a source.

My users are all outside (untrusted network) and will be accessing inside the the corporate network (trusted network) various servers/protocols.

Before they get to any server/protocol, I would want to present them a webpage. (Do not prefer to use certificates). I would want to authenticate them against our AD.

So, if we are accessing the mobile device from the trusted network, then I dont care to authenticate as I will be reaching them through the VPN tunnel.

So, will a single ASA suffice both termination of a VPN tunnel and doing Authentication of the user or will I need 2 ASA's.

Does the cut-through proxy feature apply to traffic comming into the trusted network.


Jatin Katyal Fri, 05/14/2010 - 09:20
User Badges:
  • Cisco Employee,


Thats correct. Single ASA will suffice both termination of a VPN tunnel and doing Authentication of the user coming from internet to trusted network. Cut-through proxy can be used for both direction outside to inside // inside to outside.

If users coming from internet (not through VPN tunnel) want to access some non-standard port numbers.

Here is a sample config,


access-list outside_inside extended permit tcp any host --------> This should be un-used ip address and static too.

access-group outside-in in interface outside

aaa authentication match outside_inside outside CISCO_ACS

aaa-server CISCO_ACS protocol tacacs+
aaa-server CISCO_ACS host


Users from outside need to telnet to of the firewall we have used above, the user is  challenged for a username and password, and then authenticated by the  AAA server. Once authenticated, the user sees the message  "Authentication Successful." Then, the user can successfully access  other services that require authentication.




Do rate helpful posts-


This Discussion