Hi, I have a Cisco Pix 515 and a Concentrator for the VPN side. I'm getting rid of these 2 and replacing them with 2 ASA 5520 (active/standby). I hope to eventually move the site to site VPN's and client VPN's over at some point and hope it's like the Concentrator to set them up. I was just wondering what the 5520 VPN IP will be? I guess the ASA 5520's "outside" interface will have the same external IP as the Pix (after migration), but will the VPN's also use this address or can I use the public IP the concentrator after migration or will it simply use the "outside" IP of the ASA?
Andy, I would like to provide you with couple of links for you to be aware of some differences between Cisco VPN concentrator and Cisco ASA specifically PPTP which is the Microsoft client I would say still largely used these days. If you are planning in the near future getting rid of the VPN concentrator and the use of PPTP asa does not support it as an end point for pptp unless you have a Windows Remote access server and let PPTP pass through and keep your PPTP users but hopefully this is not your case.
I would suggest though since you are replacing the PIXes with ASA to start building your standards for using Cisco VPN client in the ASA, you could have both in parallel while migrating your users to Cisco VPN client using the ASA end point.
AS for the VPN clients IPs you have several options, either you could create VPN ip Pool from the same ASA applience where your users will be assign dynamic IP addresses once connected, however, you also have the option to use DHCP relay where you could use Windows DCHP server to assign your VPN users IP addresses. For authentication you could use ASA local users database using AAA for authentication or have external Windows IIS RADIUS server for authentication .
I think since you have VPN concentrator in production you can have both in parallel functioning and start migrating your L2L connections without minimal downtime as well as begin implementing Remote access using Cisco VPN and start testing it.
On your migration of PIX and ASA outside interface IP address you have few options but the one that comes to mind is a hut cutover which is much easier and better to fall back to PIX in the event you run into problems. What I would is to build your ASA offline configuration access lists, static NATs, NAT pools interfaces configuration as that of the PIX and plan a hot cutover. If you need further assistance we are always here to assist in anything we can.
Thanks Jorge for your detailed response. I forgot to mention all my client connections do use the Cisco VPN client and point to the concentrator 3015's public ip and I use windows radius for authentication. I'm not sure if dhcp relay is in use, I'm pretty sure users are getting an IP assigned to them from the concentrator, is this possible?
What I might do then is get the asa up and just doing the job the pix did and continue to use the concentrator for VPN's, once I'm happy the asa is ok then practise with client VPN on the asa, I then will need to somehow change the client VPNs to point to the new external IP of the asa.
Yes this sounds as a very good plan, if your users are currently using Cisco VPN client that makes things esier at leats for the client side where you do not need to have your users install Cisco VPN client for that matter.
As for your Plan again, it is good, that will leave you room to implement VPN in the ASA5510 and test it while having the concentrator up in production, when test indicate success on the ASA you can gradually migrate users to point to new VPN ASA outside IP address.
As for your 1st question on the DHCP in concentrator the applience has the option to use local user database as well as assign the users IP address defined localy at the concentrator, you could confirm this by looking if you have external DHCP as well as External Autentication server in the device.
That can be found at:
For DHCP external
If you see external servers configured in VPN concentrator in above means these tasks are administered by external servers.
On the other hand if you go to address management at:
Configuration>System>Address Management Pools
you will see if the options checked off either to use internal address pool or external DHCP services.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :