Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Setup of ASA 5500

Hi All,

I currently have my vpn users on a pix515e config over ipsec terminating on my outside int. I am ordering a asa 5510 as i need another firewall for a smaller location and decided to just upgrade here and move this one, there!

my question. how does the asa work? i would REALLY like to have my vpn users on an entirely separate vlan so that i may assign an entire 254 address as a pool. currently i have to pick and choose for the pool which often runs out. how does work? does the asa use interfaces basically the same way the pix does? i was told before to "terminate my vpn on my dmz", not sure i understand that. i want my users to be able to access the internet through me, currently they are cut off from the net altogether as i refuse to do split tunnel. could someone give me some guidance?

also...other than making sure the interfaces align, can i use the pix config on the asa?

TIA,

R

4 REPLIES
Gold

Re: Setup of ASA 5500

with asa or pix v7, it is capable to redirect internet traffic.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

further, i was just wondering what you are referring to assign remote vpn to an entirely separate vlan. the vpn client pool should "never" overlap any network scheme that connects to the pix.

e.g.

pix inside = 192.168.1.0

pix dmz = 192.168.2.0

then vpn pool should not be 192.168.1.0 or 192.168.2.0.

New Member

Re: Setup of ASA 5500

I understand the overlapping deal, this is why I want to change it. I was handed this network and realize this is not a good thing to have, but do not know exactly how to change it. So basically I just need to assign a pool of addresses to vpn users and route them how? how does my internal network know to allow these users access to local resources?

Gold

Re: Setup of ASA 5500

providing the inside net is directly connected to the asa, and there is no other wan link/router as a default gateway, then no configuration will be required for routing.

e.g.

internet <--> asa <--> inside

internet <--> asa <--> dmz

with the simple topology above, no configuration will be required. one of the reason being the default gateway for all host would be asa.

alternatively,

internet <--> asa <--> inside <--> wan router <--> branch offices

with this topology, the default gateway of all host would be the wan router, thus either the wan router has the asa as the default gateway; or a static route for the vpn client pool has the asa as the next hop.

New Member

Re: Setup of ASA 5500

Its a little more complicated than that..of course!

internet<-->router<-->asa<-->core switch<-->wan router<-->branch offices

the asa is default for the core switch, the core switch is default for wan router.

222
Views
0
Helpful
4
Replies