Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN configuration for two pairs of firewalls

Hi,

We have two pairs of ASA5520's, one sitting in front of the other, to create a DMZ and a Secure zone for our database servers. What is the normal practice for allowing VPN access to the Secure zone when it is behind two sets of firewalls? - Do you allow VPN traffic to pass through the first set of firewalls and terminate the VPN connection on the second set of firewalls??

Many Thanks,

Alan

2 REPLIES
New Member

Re: VPN configuration for two pairs of firewalls

Hi,

I think you have to open IPsec in and out interfaces to bypass Ipsec tunnel.

Ck

New Member

Re: VPN configuration for two pairs of firewalls

Hello Alan,

It will depend of our orgs security policy. In our case (We also have 2 sets of firewalls) we terminate our VPN connections (both RA and l2l) on the outside interface of the front set of routers.

You can consider terminating it on the inside or dmz interface of the outside set, but remember that if you terminate a tunnel on an interface other that the 1st outside one then you won't know what kind of traffic is coming through, and you will thus lose the capability of controlling that traffic at the very edge.

Regards

Pradeep

107
Views
0
Helpful
2
Replies
CreatePlease to create content