ASA for remote access VPN

Unanswered Question
Jun 2nd, 2010
User Badges:

I already use a Netscreen for my site-to-site VPN's and I would like to implement an ASA to handle the remote access client VPN's.


Has anyone done this before?  If so how would I go about doing it? Hang the ASA off one my netscreen ports?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dpatten78 Wed, 06/02/2010 - 11:11
User Badges:

Thanks Frederico.


Assume my layout is this:


Internet < ------ > Netscreen FW < ------ > Core Switch-router <------> LAN.


Your thoughts?

Federico Coto F... Wed, 06/02/2010 - 12:17
User Badges:
  • Green, 3000 points or more

You're going to use the ASA for anything else besides terminating the remote access VPNs?


For terminating VPN connections you can position the ASA either in-front, in-parallel (if having a switch) or behind the Netscreen FW.

It depends who has the public IP address and on the functions that are going to performed the ASA and the Netscreen.


Federico.

dpatten78 Wed, 06/02/2010 - 12:22
User Badges:

No, solely for terminate remote access VPNs.


I have a switch in between my FW and my edge modem, I also have public IP's that I can use for the outside interface.  Netscreen should be the entry point for all NON remote access traffic.  ASA should be entry point for remote access traffic and should go through the Netscreen.  So in front or parallel should work without fail.


If it were behind it I would tunnel all dial-up vpn traffic through FW to ASA.  I would rather tunnel remote access VPN through FW and set policies there to allow/deny traffic.  Would that work?

Actions

This Discussion