×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

New ASA/VPN setup

Answered Question
Mar 31st, 2014
User Badges:

So i am looking to add one of my spare 5510 firewalls to my network as a secondary vpn connection.

All i want this new ASA to do is handle VPN anyconnect connections to my site.  I am pretty new to ASAs so any help would be great.  I know how to create a new VPN acccess on my ASA and i have added a NAT for my inside/outside traffic for my new VPN IP Pool.

My question is, since this is only for VPN and i want all my current internal traffic to continue routing to the existing 5510 asa, do i need to enter any ACLs to my new VPN only asa?  Are ACLs used for VPN traffic and do i need them for traffic to route over VPN?

I am setting up the inside interface connecting to one of my main Cisco switches and the Outside interface is connecting to my DMZ switch on the new VPN only ASA.

Thanks

Correct Answer by Marvin Rhoads about 3 years 4 months ago

You're welcome.

When you do it the way you're describing, you do need a static NAT (DMZ,Outside) rule and access-list (outside to DMZ) on the production ASA. There should not be any NAT rules for the VPN pool required or used on the production ASA. You will need the routing on your core L3 switch to the inside of the VPN-only ASA for the VPN pool subnet (or host addresses).

If you're only doing SSL VPN that's easiest because then only tcp/443 is needed in your access-list (assume you won't easily be able to use DTLS over UDP in this setup).

If you want to use IPsec (IKEv2) with Anyconnect then some of the other ports and protocols (and probably NAT-T) need to be configured and allowed.

Correct Answer by Marvin Rhoads about 3 years 4 months ago

I'm not sure if I follow how you are connecting the outside interface of the VPN only ASA. Normally in this sort of setup we would see the VPN ASA "in parallel" with the edge firewall.

You mention the DMZ switch which threw me a bit. If you are coming in via your primary firewall and going to the VPN only ASA via the DMZ then yes you will need to allow several ports open (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT-T etc.) depending on what type of remote access you are setting up. That's why we seldom see that setup used - it adds a fair amount of complexity without significant benefit.

When that former setup is used, you need the internal switch to know to route traffic to the VPN pool via the VPN only ASA inside interface. A static route is most often used although you could use OSPF or EIGRP if you wanted.

We don't typically need any access-list as the VPN traffic bypasses the outside interface inbound access lists. Return traffic to remote clients is coming from inside and going via outside (and is generally part of anestablished connection) so no access-list is necessary on the inside. 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marvin Rhoads Mon, 03/31/2014 - 10:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I'm not sure if I follow how you are connecting the outside interface of the VPN only ASA. Normally in this sort of setup we would see the VPN ASA "in parallel" with the edge firewall.

You mention the DMZ switch which threw me a bit. If you are coming in via your primary firewall and going to the VPN only ASA via the DMZ then yes you will need to allow several ports open (protocol 50, udp/500, tcp/443 among others) and may have to do some other techniques (NAT-T etc.) depending on what type of remote access you are setting up. That's why we seldom see that setup used - it adds a fair amount of complexity without significant benefit.

When that former setup is used, you need the internal switch to know to route traffic to the VPN pool via the VPN only ASA inside interface. A static route is most often used although you could use OSPF or EIGRP if you wanted.

We don't typically need any access-list as the VPN traffic bypasses the outside interface inbound access lists. Return traffic to remote clients is coming from inside and going via outside (and is generally part of anestablished connection) so no access-list is necessary on the inside. 

John Stevens Mon, 03/31/2014 - 11:19
User Badges:

thanks for the response Marvin.

Here is my current set up.  My producton ASA has 3 interfaces connected, inside, outside and DMZ.

Inside interface: connects to my main core switch

DMZ interface: connects to small 8 port cisco switch for my VTCs, etc and the inside connects to my main core switch.  My spare ASA (VPN only) is connected to the DMZ switch with a ip for my DMZ while the inside interface is connected to the same core switch as my production ASA.

Outside interface: connects to my ISP provider

 

My thinking was that i connect my spare asa (VPN only) ASA to the DMZ and to my core switch.  If i am thinking about this correctly, i would need to enter a access rule on my production ASA on the outside interface to allow traffic to my DMZ ip on my vpn only ASA.  I would not need to enter any ACLs for the inside/DMZ just a NAT rule pointig traffic to my vpn IP Pool.

 

not sure if this makes since or if i am going about this the right way.

Correct Answer
Marvin Rhoads Mon, 03/31/2014 - 13:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're welcome.

When you do it the way you're describing, you do need a static NAT (DMZ,Outside) rule and access-list (outside to DMZ) on the production ASA. There should not be any NAT rules for the VPN pool required or used on the production ASA. You will need the routing on your core L3 switch to the inside of the VPN-only ASA for the VPN pool subnet (or host addresses).

If you're only doing SSL VPN that's easiest because then only tcp/443 is needed in your access-list (assume you won't easily be able to use DTLS over UDP in this setup).

If you want to use IPsec (IKEv2) with Anyconnect then some of the other ports and protocols (and probably NAT-T) need to be configured and allowed.

John Stevens Mon, 03/31/2014 - 14:30
User Badges:

Thanks Marvin, I was just going to use SSL VPN.  Thanks for the clarification and pointers, much appreciated.

Actions

This Discussion