Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2298
Views
0
Helpful
6
Replies

VPN asa5520 placement

Go to solution
revolwireless
Level 1
Level 1

‎07-16-2013 07:10 AM - edited ‎03-03-2019 07:07 AM

I have an asa5520 I'd like to use to terminate remote access and l2l vpns for our users and vendors.

It seems like the best 2 methods is to either have it in parallel with our firewall or in a dmz(Cisco recommended i guess)

I kind of prefer putting it behind the DMZ because I will be migrating l2l vpns off an asa5540 to the 5520, I don't want to have to contact all our vendors to change their terminating IP, if I put the 5520 in parallel I cannot use the current 5540 IP because it is a different placement and it's current public IP is not in the same subnet as our firewall/border routers

Now IF i did put it in a DMZ would the internal interface connect back to the firewall or can i connect it straight to our core?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to revolwireless

‎07-17-2013 09:49 PM

This is something you can decide based on the security requirements as both options are valid

if you want the decrypted VPN traffic to be inspected by the firewall then you should terminate the inside interface of the VPN FW back to the edge firewall if no need for this you could put the inside interface directly back to your internal network

hope this helps

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎07-16-2013 09:02 PM

when you say DMZ I think you have another firewall which is Internet facing that has an interface for DMZ where you are going to place your VNP firewall in !!

if not, then the design it depends on your security policy and requirements if you want VPN users traffic to be inspected by another firewall then it is better to terminate the VPN tunnel to be decrypted before send this traffic to the other firewall

HTH

0 Helpful

Go to solution
revolwireless
Level 1
Level 1
In response to Marwan ALshawi

‎07-17-2013 06:37 AM

That is correct, we have an external firewall at our edge that I'm thinking of putting the ASA in a DMZ, but if I did that do I take the ASA's internal interface back to the firewall or to our core/dist?

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to revolwireless

‎07-17-2013 09:49 PM

This is something you can decide based on the security requirements as both options are valid

if you want the decrypted VPN traffic to be inspected by the firewall then you should terminate the inside interface of the VPN FW back to the edge firewall if no need for this you could put the inside interface directly back to your internal network

hope this helps

0 Helpful

Go to solution
revolwireless
Level 1
Level 1
In response to Marwan ALshawi

‎07-18-2013 06:17 AM

Great thank you for the help.

Do you know if placing it behind the firewall is recommended over parallel?

This device will be terminating l2l VPNs also

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to revolwireless

‎07-19-2013 12:56 AM

if you want to have it more secure and inspect the decrypted VPN traffic then terminate the VPN firewall inside interface back to the edge firewall

hope this help, make sure you rate the helpful posts

0 Helpful

Go to solution
revolwireless
Level 1
Level 1
In response to Marwan ALshawi

‎07-19-2013 06:49 AM

Thanks again for the help

0 Helpful
Customers Also Viewed These Support Documents