Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Network Architecture ?

Not sure where to post this but I thought I would start here. We recently purchased an ASA 5510. I am getting ready to implement it and have some questions / opinions on how to do it.

Here is the issue. We have two WAN connections, a T1 and a DSL connection that go to a dual WAN router. Then from the router to the core switch. My question is this. Do I put the ASA behind the dual WAN router or in front of it? The main purpose of the ASA is for client VPN access.

I look forward to your thoughts....Thanks

11 REPLIES
Hall of Fame Super Blue

Re: Network Architecture ?

Hi

I would put the ASA device between your WAN router and the core switch assuming that your core switch is doing the routing for the internal network.

I'm assuming that the client VPN access is coming from the two connections on the WAN router.

Jon

Community Member

Re: Network Architecture ?

Thanks for the quick response. If I put it between the WAN router.... which is also acting as our firewall, which ports do I open on it to forward to the ASA for the VPN clients? Also at that point do I not assign a WAN IP to ASA or assign it two private IP's at that point?

Hall of Fame Super Blue

Re: Network Architecture ?

Ah, you didn't mention that the router was acting as firewall.

If the ASA is acting purely to terminate remote access VPN's does this mean you do not want the ASA to do any firewalling.

Your 2 wan connections - can the remote access VPN's come across both links ?

Jon

Community Member

Re: Network Architecture ?

I don't need the ASA to do any firewalling, but not against it. But I can't afford to lose the dual wan connectivity as it for redundancy. We are using a hotbrick "name of the router" for our dual WAN router. So we go from the T1 router into the hotbrick and from a dsl modem into the hotbrick. It does load balancing from there.

For right now the only VPN connectivity will be by remote users via software VPN. They could come across both public WANS I was just thinking coming across the T1.

Have I lost you yet? Sorry about the confusion.

Hall of Fame Super Blue

Re: Network Architecture ?

Okay, not familiar with a hotbrick so it's a but difficult to say for sure where to place the ASA.

Could you send a quick topology diagram with the addressing showing your WAN routers/hotbrick and core switch if possible.

Jon

Community Member

Re: Network Architecture ?

This is the only one I have, hopefully it is suffice.

Hall of Fame Super Blue

Re: Network Architecture ?

Hi

Okay, thanks for that. Presumably that was one you already had :).

You have 2 options

1) Place the ASA device alongside your hotbrick and give the ASA external interface an IP address out of the T1 public subnet range. Firewall the vpn traffic on the ASA and connect the internal interface onto an internal subnet. This is assuming you only want to provide remote acccess-vpn's on the T1. If you want to provide it to both links then you could use 2 interfaces on your ASA, one from the each public subnet. Note that if the routers connect directly to the hotbrick you would need to insert a switch. Non VPN traffic does not go through the ASA.

2) Place the ASA in between the hotbrick and the core switch. You would have to use private addressing on both interfaces and port forward from your router firewall. You will also need to enable NAT-T.

Jon

Community Member

Re: Network Architecture ?

Jon,

Thanks for your help, if I do this:

2) Place the ASA in between the hotbrick and the core switch. You would have to use private addressing on both interfaces and port forward from your router firewall. You will also need to enable NAT-T.

1. What ports would I need to port forward from the hotbrick to the ASA?

2. Not familiar with NAT-T, enable it on the ASA? What are the commands for that?

Community Member

Re: Network Architecture ?

Jon,

Any suggestions on my last post?

Hall of Fame Super Blue

Re: Network Architecture ?

Hi

Apologies, been a little bit busy

1) IKE port UDP 500, 4500. IP PORT 50 - ESP

2) crypto isakmp nat-traversal

HTH

Jon

Community Member

Re: Network Architecture ?

You could have the ASA5510 place in parallel to the Hotbrick using the dual isp feature of it. Assign 1 IP from the T1 and DSL IP pool to outside and backup interface. The client vpn will have the T1 as primary vpn and DSL as backup.

179
Views
0
Helpful
11
Replies
CreatePlease to create content