Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA for VPN only

Hello all,

Hopefully a nice simple question for someone.

I have a small network office with network range 192.168.1.0/24. It currently has a basic setup of router -> firewall -> switches, and I'd like to keep the netowkr as simple as possible.

The router is a 1800 series, but the firewall is another brand. The local default gateway is on the inside of the currently in place firewalls, but I would like to add a Cisco ASA to the existing setup for terminating my VPNs on.

I would like this ASA to have the outside interface configured in the 192.168.1.0/24 and NAT that address on the Cisco router. I will then add a route on the currently in place firewalls to send any traffic I want to go over my VPNs to the outside interface of my ASA, which will then route it back out of the outside interface over the VPN.

Essentially, what I'm asking is, can I just configure the outside interface, stick "same-security-traffic permit intra-interface" on there, and configure my VPNs as usual?

Just seems a bit strange to me not having any of the other interfaces configured and just patching in the outside interface... but this may be completely usual.

Thanks in advance.

James

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco ASA for VPN only

Just make sure you have the same security permit intra interface configured to allow the ASA to redirect traffic back out the same interface in which it received it.

The tunnel should work just fine.

Let me know if you have any problems.

Federico.

3 REPLIES

Re: Cisco ASA for VPN only

Hi,

Let's see if I understand.

You have Internet - Router - Firewall - Switches...

The router has the public IP.

You can have the ASA (Firewall) terminating the VPNs even if it has a private IP (by doing a STATIC NAT on the router for the VPN traffic).

If this is the scenario, the default gateway could then be the ASA (is the switches are layer 2).

The STATIC NAT for VPN on the router, needs to redirect ESP protocols, UDP 500 and UDP 4500 (assuming IPsec VPN with NAT-T).

Federico.

New Member

Re: Cisco ASA for VPN only

Hi, thanks for the reply.

I don't want to change any of my current set up, or move my default gateway from the currently in place firewall. I simply want to hang my ASA off either switch or the currently in place firewall and put a route on there directing any VPN traffic to the ASA.

Essentially the setp will look something like this:

In this instance, the switch on 192.168.1.4 will have the following route:

ip route 10.10.0.0 255.255.255.0 192.168.1.5

so that any traffic destined for the remote office gets routed to the ASA. The ASA will then send the traffic back out the same interface over the VPN to the remote office. I am planning to assign a static translation on the router as you mentioned.

My main concern was the traffic coming in and out of the ASA on the same interface, but I'm guessing the "same-security-permit intra-interface" will take care of that. As I said, just seems like a strange setup to me only having the outside interface patched in and configured.

Thanks,

James

Re: Cisco ASA for VPN only

Just make sure you have the same security permit intra interface configured to allow the ASA to redirect traffic back out the same interface in which it received it.

The tunnel should work just fine.

Let me know if you have any problems.

Federico.

1033
Views
0
Helpful
3
Replies