Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Combining two PIXs to one ASA

Hi,

I need a little sanity check please. I want to consolidate two PIX's onto a single ASA. Each PIX currently has an IPSEC VPN that terminates on the same remote peer (our ePoP VPN router).

The plan is to have interesting traffic for both local subnets added to the crypto ACL.

Currently working is:

PIX-1 10.10.10.10 --> (inside interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 10 permit ip 10.10.10.0 255.255.255.0 any

PIX-2 20.20.20.20 --> (inside interface) --> 1.1.1.2 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 20 permit ip 20.20.10.0 255.255.255.0 any

I want to do:

ASA-1 10.10.10.10 --> (DMZ-1interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

ASA-1 20.20.20.20 --> (DMZ-2 interface) --> 1.1.1.1 (outside interface) --> edge router --> WAN --> 5.5.5.5 (VPN router) --> Internet

Crypto ACL:

access-list 10 permit ip 10.10.10.0 255.255.255.0 any

access-list 20 permit ip 20.20.10.0 255.255.255.0 any

Does anyone see any challenges with this?

Thanks, Dave

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Combining two PIXs to one ASA

also check that the return routes to your network are pointed to the single vpn peer in comparison to two different vpn end points that was the case earlier with two PIX firewalls. Other than ths I dont find anything. Hope and wish it works fine for you.

3 REPLIES
New Member

Re: Combining two PIXs to one ASA

is the vpn terminated in the PIX or the vpn router. Is it a RA VPN or Site-to-Site VPN?

you can include as many number of netoworks to be allowed in the vpn but if it is a site-to-site vpn then both end network lists should match else it will create problems.

New Member

Re: Combining two PIXs to one ASA

Thanks, This is a site to site VPN from the new ASA to an existing VPN router. And yes, I will have them make entries on the router for the two subnets. Is there anything else I should be aware of?

Dave

New Member

Re: Combining two PIXs to one ASA

also check that the return routes to your network are pointed to the single vpn peer in comparison to two different vpn end points that was the case earlier with two PIX firewalls. Other than ths I dont find anything. Hope and wish it works fine for you.

104
Views
0
Helpful
3
Replies
CreatePlease to create content