Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

simple ASA question re: firewall & VPN's

i'm going to be replacing my PIX's & Concentrator soon. Since they are separate boxes, they have separate public IP's. when i consolidate them down to an ASA 5520, should i use multiple interfaces for the public side or can i get away with just using 1? i need the VPN portion to terminate lan-2-lan tunnels as well as ipsec remote access. the firewall side is going to provide internet access for my users as well as NAT some devices. thanks

5 REPLIES
Cisco Employee

Re: simple ASA question re: firewall & VPN's

when i consolidate them down to an ASA 5520, should i use multiple interfaces for the public side or can i get away with just using 1?

You requirments can let you get away with this.Just setup one interface with public range.You can simultaneously terminate lan-2-lan as well as remote access tunnels.

Do rate helpful posts.

Regards,

Sushil

Silver

Re: simple ASA question re: firewall & VPN's

I think you are making a mistake by combining

Firewall and VPN into a single device. By

combining these two functions into a single

device, you're increasing the complexities

of the configuration and that it will take

longer to troubleshoot issues and it could

take down your network altogether.

The current configuration you have with the

firewall function as firewall and VPN

concentrator fuctions as VPN terminating

end-point is the classic design for most

corporate enterprise environments.

What is your reason for combining these two

functions into a single device? VPNc is going

end of life?

Community Member

Re: simple ASA question re: firewall & VPN's

thanks for your help.

both the concentrator and the pix's are going end of life. the concentrator has been failing recently.

i "assumed" that a scenario with dual ASA's in failover mode, along with the using the IPS module (in order ot get rid of my IDS 4215's) would be sufficient as border security design.

Do you feel that the UTM idea is not a sound one?

Community Member

Re: simple ASA question re: firewall & VPN's

I see his point about configuration complexities with using a single design and the potentially more difficult troubleshooting in case you run into a problem. I will say that I just completed the same consolidation you're working on (PIX FW + VPNc to a dual ASA active/passive fail over), and I have so far had no problems with it. You get a MUCH higher VPN throughput with the ASA then the concentrator, and you can set up anyconnect on the ASA if you choose. I also like the ASA interface (both the ASDM and CLI) MUCH better then the concentrator (I get really frustrated that there is no cli in the vpnc).

I also had the same dilemma as you about going with a single outside interface or going with two, and I ended up going with a single interface. At this point I have several HW easyvpn clients, L2L and anyconnect VPN set up and it's working out great so far....really happy to be off that VPNc as you can probably tell. :)

Silver

Re: simple ASA question re: firewall & VPN's

"Do you feel that the UTM idea is not a sound one?"

UTM only works if you have simple site.

As far as the comparison between ASA and VPNc

is concern, I like VPNc much better than ASA

in terms of VPN configuration, especially with

complex NAT inside the VPN tunnels. It is a

shame that Cisco stops making VPNc.

"and I have so far had no problems with it"

Wait until you have to configure complex VPN

with complex NAT. Then you wish you had not

consolidated FW and VPN into a single device.

my 2c

171
Views
4
Helpful
5
Replies
CreatePlease to create content