Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
760
Views
0
Helpful
4
Replies

Cisco ASA 5520 VPN IP help?

whiteford
Level 1
Level 1

‎01-13-2008 12:07 PM - edited ‎02-21-2020 03:28 PM

Hi, I have a Cisco Pix 515 and a Concentrator for the VPN side. I'm getting rid of these 2 and replacing them with 2 ASA 5520 (active/standby). I hope to eventually move the site to site VPN's and client VPN's over at some point and hope it's like the Concentrator to set them up. I was just wondering what the 5520 VPN IP will be? I guess the ASA 5520's "outside" interface will have the same external IP as the Pix (after migration), but will the VPN's also use this address or can I use the public IP the concentrator after migration or will it simply use the "outside" IP of the ASA?

Thanks

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎01-13-2008 07:12 PM

Andy, I would like to provide you with couple of links for you to be aware of some differences between Cisco VPN concentrator and Cisco ASA specifically PPTP which is the Microsoft client I would say still largely used these days. If you are planning in the near future getting rid of the VPN concentrator and the use of PPTP asa does not support it as an end point for pptp unless you have a Windows Remote access server and let PPTP pass through and keep your PPTP users but hopefully this is not your case.

I would suggest though since you are replacing the PIXes with ASA to start building your standards for using Cisco VPN client in the ASA, you could have both in parallel while migrating your users to Cisco VPN client using the ASA end point.

Migrating from VPN Concentrator 3000 to ASA

http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/miFeatureDiffs.html

With ASA there are quite few options for Remote access such as Clientless SSL VPN remote access, see bellow link for Remote access basic configuration etc..

ASA Remote Access VPN

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#intro

AS for the VPN clients IPs you have several options, either you could create VPN ip Pool from the same ASA applience where your users will be assign dynamic IP addresses once connected, however, you also have the option to use DHCP relay where you could use Windows DCHP server to assign your VPN users IP addresses. For authentication you could use ASA local users database using AAA for authentication or have external Windows IIS RADIUS server for authentication .

I think since you have VPN concentrator in production you can have both in parallel functioning and start migrating your L2L connections without minimal downtime as well as begin implementing Remote access using Cisco VPN and start testing it.

On your migration of PIX and ASA outside interface IP address you have few options but the one that comes to mind is a hut cutover which is much easier and better to fall back to PIX in the event you run into problems. What I would is to build your ASA offline configuration access lists, static NATs, NAT pools interfaces configuration as that of the PIX and plan a hot cutover. If you need further assistance we are always here to assist in anything we can.

Rgds

Jorge

Jorge Rodriguez
0 Helpful

whiteford
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎01-13-2008 11:07 PM

Thanks Jorge for your detailed response. I forgot to mention all my client connections do use the Cisco VPN client and point to the concentrator 3015's public ip and I use windows radius for authentication. I'm not sure if dhcp relay is in use, I'm pretty sure users are getting an IP assigned to them from the concentrator, is this possible?

What I might do then is get the asa up and just doing the job the pix did and continue to use the concentrator for VPN's, once I'm happy the asa is ok then practise with client VPN on the asa, I then will need to somehow change the client VPNs to point to the new external IP of the asa.

Does this sound like a logical plan?

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to whiteford

‎01-14-2008 08:51 AM

Yes this sounds as a very good plan, if your users are currently using Cisco VPN client that makes things esier at leats for the client side where you do not need to have your users install Cisco VPN client for that matter.

As for your Plan again, it is good, that will leave you room to implement VPN in the ASA5510 and test it while having the concentrator up in production, when test indicate success on the ASA you can gradually migrate users to point to new VPN ASA outside IP address.

As for your 1st question on the DHCP in concentrator the applience has the option to use local user database as well as assign the users IP address defined localy at the concentrator, you could confirm this by looking if you have external DHCP as well as External Autentication server in the device.

That can be found at:

For authentication

Configuration>System>Servers>Authentication

For Accounting

Configuration>System>Servers>Accounting

For DHCP external

Configuration>System>Servers>DHCP

If you see external servers configured in VPN concentrator in above means these tasks are administered by external servers.

On the other hand if you go to address management at:

Configuration>system>Address Management>assigment

and

Configuration>System>Address Management Pools

you will see if the options checked off either to use internal address pool or external DHCP services.

Rgds

Jorge

Jorge Rodriguez
0 Helpful

whiteford
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎01-16-2008 12:17 PM

Looks like I use a local DHCP pool on the concentrator, does the ASA do this?

What is the Accounting used for? I use the Authentication for RADIUS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents