Need some expert help. I will be deploying the CISCO ASA 5510 in VPN site to site scenario only. One interface will be for the WAN and the other LAN interface is connected to another firewall appliance. The main purpose of the ASA is for branch site VPN connection only. My default gateway is pointing to the Internet router on my WAN inteface. Should NAT be enabled on my WAN inteface? The only expected traffic to go thru my ASA is VPN traffic to the other site. I have already defined static routes and have gone thru the wizard for site to site VPN and added my local and remote networks. Also how do I approach my access policies, the default deny any any is in place. Should I allow anything on it? The firewall connected to my LAN interface is expected to do the filtering, like I said the ASA's purpose is just to do VPN site to site. Thanks all
If all you are doing is terminating IPSEC site-to-site VPN tunnels then you do not need to worry about NAT or access-lists really.
As long as the outside interface of the ASA doing the VPN's is routable from the remote sites you should be fine.
As for permitting everything, if you mean permitting all traffic that comes through the VPN tunnel then yes you may as well because as you say you have another firewall behind it to do packet filtering.
Can i ask why you are using 2 firewalls rather than just the one ?
Thanks Jon. That is what I want to clarify as well, running the VPN site to site wizard, will automatically create the 'cryptomap' access rules, will the existing deny all rule apply to the VPN traffic? I think there was an option that VPN traffic will bypass access rules.
So having NAT enabled for anything that goes out on My WAN inteface would not matter at all, even if the VPN traffic will go out of that interface right? Hope I don't sound confusing.
As per your second question, I know it sounds weird and is not good network design, but customer just renewed maintenance contract for the other firewall box that is why he does not want to get rid of it yet. Although ISA can perform the function as well. Thanks.
Yes Jon. We just added the route from the firewall on ASA's LAN interface saying that anything destined on the branch site wil go to the ASA, everything else will be to the INTERNET router. So we don't expect any Internet traffic to go through ASA, only VPN traffic to the branch site. Which brings me back to my question, should there be any NAT or would it matter if there is or not? And also if I need to allow anything on my access policies? I hope I don't sound like I am going in circles. Thanks for all the responses.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :