Current ASA 5515-x VPN device with ISE...use as firewall too?

dirkmelvin · ‎04-30-2013

I have used many a PIX and ASA as a firewall device, and even a dual VPN and firewall device.

However, I have a new scenario, I am sure many have seen my ISE related posts.

Our current firewall has reached EoL (McAfee), and instead of purchasing a new firewall would like to know if it is possible to migrate to using the ASA that is currently strictly for ANYCONNECT VPN connections, to make that also replace the McAfee firewall which also serves a handful of s2s VPN Tunnels.

Under normal circumstances I would see no problem, however, the way we have to set up the ASA to use ISE (Inline Posture Node), the ASA has a normal WAN connection, but the LAN connection to the IPN is its own VLAN in the core switch, that also contains the WAN interface of the IPN.

Would I just create a new LAN interface on the ASA to the inside network VLAN and that would basically be as a normal firewall setup using THAT interface?

Man did I just confuse myself! LOL

Any pointers here, are appreciated!

Thanks,

Dirk

dirkmelvin · ‎11-26-2013

Can't believe I have no responses to this.

So I am back at it again. I now have ported all my existing rules, and objects in my ASA.

So now my concern is about routing. Since we are currently using this ASA for VPN and we are using ISE (and by using ISE in this manner we have to have an Inline Posture Node) we have static routes basically pointing all traffic for the internal network through the IPN.

So how can I have the VPN users traffic only use the IPN for internal bound traffic, and all other traffic use the NEW internal interface to route traffic?

I realize in interacting with several CIsco employee's at this point that we might be pioneers in this endeavor (VPN with ISE/IPN and it actually works MOSTLY correctly).