Alternative to using 2x firewalls to filter VPN traffic?

Unanswered Question
Jun 23rd, 2010

First off, I have not worked with any Cisco VPN/Firewalls for several years, the last being PIX 506-515s with v6.03. I am completely unfamiliar with any new features introduced within these past years, especially concerning the ASA devices.

We have a requirement to provide clients with a site to site VPN to two servers at our location. These clients use broadband connections (although I believe they are all static IPs). At the client's site they have a device (PCL) that sends data to these two servers, currently this is not encrypted data. In order to have a secure connection we need to setup a VPN. Our initial thoughts are to send out to the clients pre-configured ASA-5505s and to put them behind their firewall, connected directly to the PCL device alone. The PCL device will then use this VPN connection to our site's servers (ASA-5510 on our end).

However, I am not thrilled with the initial idea that has been proposed. This would allow anyone at the client site to essentially connect a computer directly to the 5505, and they would be then be connected within our network, able to see the servers fully.We simply need just one port using TCP to connect through to the server.

My initial idea was to use the 5510 as the VPN endpoint (oursite) and another firewall to filter traffic from the VPN to the servers. I do not remember any capabilities for a PIX to filter traffic with an IPSEC connection like this. Then again, never had the need to know. The problem with this idea is pure and simple: Cost. The budget for this project is very limited to say the least.

So I guess my question for the community is do we have any other alternatives short of using 2 firewalls (one for VPN, other to filter VPN's traffic)?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 06/24/2010 - 07:10


Now with ASAs you can filter the VPN traffic much better than with older PIXes.

If you create a Site-to-Site VPN between both locations, then using the ASA you can create ''vpn filters'' and restrict which traffic you want to allow through the tunnel. In this way, it does not matter that there's a tunnel established between both locations as only the traffic specified in the filters will be allowed.



This Discussion