04-15-2009 05:03 AM - edited 03-09-2019 10:13 PM
Please take look at this topic. The ASA firewall is making me a headache.
WAN, Routing and Switching: Policy-based routing.
04-17-2009 03:00 AM
Well, I have not designed this network.
I think the central router is terminating VPN because of OSPF routing (tunnel interfaces with GRE)
The central router is not behind the ASA for internal. The ASA has its own internal network (HQ) and the others are all remote sited that have to go through the ASA because of authenticaion (not all users are allowed to surf on the internet)
OSPF is already encapsulated in the tunnel on remtoe site and central routers
ASA is already a gateway for the internal network (not for remote sites) ASA can't send them a defaulte route because the is the central router in between
04-17-2009 03:08 AM
OK - a simple solution would be to:-
1) Terminate the VPN on the ASA
2) Have the tunnel desintation on the central router for the remote point to the ASA
3) In the ASA configure the crypto map for the tunnel srouce & desinations of the tunnels.
4) Directly connect the ASA to the internet circuit
5) Have the central router have only 1 connection to the ASA
6) Distribute a default route in OSPF - remote users would dynamically route over the tunnel thru the IPSEC to the central router, the central router woudl route the internet traffic directly to the ASA where they can be authenticated.
HTH>
04-17-2009 03:37 AM
Well I know that when the ASA would terminate the VPNs my problem would be solved. But I don't know if my client would like that, because that is a lot of work.
And I have one question. Does the ASA have tunnel interfaces like a router? So that I can use GRE?
04-17-2009 03:39 AM
No the ASA does not support GRE tunnels.
At the end of the day you should explain to your customer that the current topology/configuration is sub-optimal and can be improved 100%
HTH>
04-17-2009 03:45 AM
So your advice is that the ASA terminates the VPNs and that the router is there only for the internet?
There is a problem too, a Frame-Relay router is connected on the router for other remote sites! I think that I could use a subinterface on the ASA for that!
04-17-2009 03:53 AM
If you just do that - what are you going to use as a layer 3 routing device on the inside?
Possibly - or just shift all the internal routing to the device that has the frame-relay - this is the central internal router.
then the other router can just be used for internet routing, and the ASA can be the secuure device that seperates the internal to internet.
04-17-2009 03:55 AM
Well thank you. I will consult myself with my workmate.
04-17-2009 04:05 AM
np - glad to help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: