07-16-2013 07:10 AM - edited 03-03-2019 07:07 AM
I have an asa5520 I'd like to use to terminate remote access and l2l vpns for our users and vendors.
It seems like the best 2 methods is to either have it in parallel with our firewall or in a dmz(Cisco recommended i guess)
I kind of prefer putting it behind the DMZ because I will be migrating l2l vpns off an asa5540 to the 5520, I don't want to have to contact all our vendors to change their terminating IP, if I put the 5520 in parallel I cannot use the current 5540 IP because it is a different placement and it's current public IP is not in the same subnet as our firewall/border routers
Now IF i did put it in a DMZ would the internal interface connect back to the firewall or can i connect it straight to our core?
Solved! Go to Solution.
07-17-2013 09:49 PM
This is something you can decide based on the security requirements as both options are valid
if you want the decrypted VPN traffic to be inspected by the firewall then you should terminate the inside interface of the VPN FW back to the edge firewall if no need for this you could put the inside interface directly back to your internal network
hope this helps
07-16-2013 09:02 PM
when you say DMZ I think you have another firewall which is Internet facing that has an interface for DMZ where you are going to place your VNP firewall in !!
if not, then the design it depends on your security policy and requirements if you want VPN users traffic to be inspected by another firewall then it is better to terminate the VPN tunnel to be decrypted before send this traffic to the other firewall
HTH
07-17-2013 06:37 AM
That is correct, we have an external firewall at our edge that I'm thinking of putting the ASA in a DMZ, but if I did that do I take the ASA's internal interface back to the firewall or to our core/dist?
07-17-2013 09:49 PM
This is something you can decide based on the security requirements as both options are valid
if you want the decrypted VPN traffic to be inspected by the firewall then you should terminate the inside interface of the VPN FW back to the edge firewall if no need for this you could put the inside interface directly back to your internal network
hope this helps
07-18-2013 06:17 AM
Great thank you for the help.
Do you know if placing it behind the firewall is recommended over parallel?
This device will be terminating l2l VPNs also
07-19-2013 12:56 AM
if you want to have it more secure and inspect the decrypted VPN traffic then terminate the VPN firewall inside interface back to the edge firewall
hope this help, make sure you rate the helpful posts
07-19-2013 06:49 AM
Thanks again for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide