04-17-2010 12:14 AM
Hello,
I'd like to add Cisco ASA 5510 into the existing firewall and network topology for having Cisco RAS VPN access possibility too.
I don't want to use it as a firewall, when not necessary, but only for the RAS access. I cannot imagine now , where in the network should be placed.
Existing topology has a firewal including DMZ, firewall's internal interface serves as an default gateway for the internal network as usually.
Sorry for the basic question, but Cisco is brand new for me. Last time I tested CP Connectra for that, it just sat in the DMZ with one (DMZ) public IP
Does ASA allow the same ?
Solved! Go to Solution.
04-18-2010 05:57 AM
There are a couple of scenario you can configure:
1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.
2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.
Hope that helps.
04-17-2010 02:32 AM
Yes, you can definitely sit the ASA in DMZ.
All you need to do for your internal routing is to point routes towards the remote LAN, and/or vpn client ip pool subnet towards the ASA.
I would have the following topology:
Internal LAN -- (inside) firewall (outside) ---- Internet
| (dmz)
| |
--------------------- ASA VPN
Hope that helps.
04-17-2010 09:14 AM
Hi,
thanks a lot, but I still didn't get it. Would you mind to elaborate the example ? I really appreciate.
Separate IP segment for VPN pool and ASA internal interface as a gateway to them ? Specific routes on all servers to that segment ?
04-18-2010 05:57 AM
There are a couple of scenario you can configure:
1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.
2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.
Hope that helps.
04-18-2010 01:08 PM
Hi
thanks a lot, it definitely helps. Scenario #1 is perfectly suitable. Just curious, is there any one-interface (DMZ) scenario , like by Connectra ? Should I use different Cisco product for that ? This is just a demo I borrowed.
04-18-2010 04:41 PM
It is not recommended to just use 1 interface of the ASA both for VPN termination as well as routing the clear text traffic (more possibility of having asymmetric routing that would be blocked on the ASA). Scenario# 1 would be as easy to configure.
Alternatively, you can use a router for VPN termination if you just want to use 1 interface. But I still think using separate interfaces as scenario#1 would be much neater and more secure.
04-18-2010 10:58 PM
Thanks a lot !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide