Solved: Re: Cisco ASA for VPN only

jacobs_son · ‎03-04-2010

Hello all,

Hopefully a nice simple question for someone.

I have a small network office with network range 192.168.1.0/24. It currently has a basic setup of router -> firewall -> switches, and I'd like to keep the netowkr as simple as possible.

The router is a 1800 series, but the firewall is another brand. The local default gateway is on the inside of the currently in place firewalls, but I would like to add a Cisco ASA to the existing setup for terminating my VPNs on.

I would like this ASA to have the outside interface configured in the 192.168.1.0/24 and NAT that address on the Cisco router. I will then add a route on the currently in place firewalls to send any traffic I want to go over my VPNs to the outside interface of my ASA, which will then route it back out of the outside interface over the VPN.

Essentially, what I'm asking is, can I just configure the outside interface, stick "same-security-traffic permit intra-interface" on there, and configure my VPNs as usual?

Just seems a bit strange to me not having any of the other interfaces configured and just patching in the outside interface... but this may be completely usual.

Thanks in advance.

James

Federico Coto Fajardo · ‎03-06-2010

Just make sure you have the same security permit intra interface configured to allow the ASA to redirect traffic back out the same interface in which it received it.

The tunnel should work just fine.

Let me know if you have any problems.

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-04-2010

Hi,

Let's see if I understand.

You have Internet - Router - Firewall - Switches...

The router has the public IP.

You can have the ASA (Firewall) terminating the VPNs even if it has a private IP (by doing a STATIC NAT on the router for the VPN traffic).

If this is the scenario, the default gateway could then be the ASA (is the switches are layer 2).

The STATIC NAT for VPN on the router, needs to redirect ESP protocols, UDP 500 and UDP 4500 (assuming IPsec VPN with NAT-T).

Federico.

jacobs_son · ‎03-05-2010

Hi, thanks for the reply.

I don't want to change any of my current set up, or move my default gateway from the currently in place firewall. I simply want to hang my ASA off either switch or the currently in place firewall and put a route on there directing any VPN traffic to the ASA.

Essentially the setp will look something like this:

In this instance, the switch on 192.168.1.4 will have the following route:

ip route 10.10.0.0 255.255.255.0 192.168.1.5

so that any traffic destined for the remote office gets routed to the ASA. The ASA will then send the traffic back out the same interface over the VPN to the remote office. I am planning to assign a static translation on the router as you mentioned.

My main concern was the traffic coming in and out of the ASA on the same interface, but I'm guessing the "same-security-permit intra-interface" will take care of that. As I said, just seems like a strange setup to me only having the outside interface patched in and configured.

Thanks,

James

Federico Coto Fajardo · ‎03-06-2010

Just make sure you have the same security permit intra interface configured to allow the ASA to redirect traffic back out the same interface in which it received it.

The tunnel should work just fine.

Let me know if you have any problems.

Federico.