Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Adding ASA 5510 as a RAS VPN gateway into the existing network topology

Hello,

I'd like to add Cisco ASA 5510 into the existing firewall and network topology for having Cisco RAS VPN access possibility too.

I don't want to use it as a firewall, when not necessary, but only for the RAS access. I cannot imagine now , where in the network should be placed.

Existing topology has a firewal including DMZ, firewall's internal interface serves as an default gateway  for the internal network as usually.

Sorry for the basic question, but Cisco is brand new for me. Last time I tested CP Connectra for that, it just sat in the DMZ with one (DMZ) public IP

Does ASA allow the same ?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Adding ASA 5510 as a RAS VPN gateway into the existing netwo

There are a couple of scenario you can configure:

1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.

2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.

Hope that helps.

6 REPLIES
Cisco Employee

Re: Adding ASA 5510 as a RAS VPN gateway into the existing netwo

Yes, you can definitely sit the ASA in DMZ.

All you need to do for your internal routing is to point routes towards the remote LAN, and/or vpn client ip pool subnet towards the ASA.

I would have the following topology:

Internal LAN -- (inside) firewall (outside) ---- Internet

        |                          (dmz)

        |                              |

         --------------------- ASA VPN

Hope that helps.

New Member

Re: Adding ASA 5510 as a RAS VPN gateway into the existing netwo

Hi,

thanks a lot, but I still didn't get it. Would you mind to elaborate the example ?  I really appreciate.

Separate IP segment for VPN pool and ASA internal interface as a gateway to them ? Specific routes on all servers to that segment ?

Cisco Employee

Re: Adding ASA 5510 as a RAS VPN gateway into the existing netwo

There are a couple of scenario you can configure:

1) VPN server outside interface in paralel with your current firewall outside interface, and VPN server inside interface connects to your firewall DMZ interface. So VPN traffic will terminate on theeVPN server outside interface, gets decrypted and connects to the firewall dmz interface which then get routed towards the firewall internal network.

2) VPN server outside interface is connected to the firewall dmz interface, and VPN server inside interface is connected in the same vlan as your firewall inside interface. This will only work if your internal LAN is connected to a router/layer 3 switch to the router can be configured with route for the remote VPN LAN, and VPN Client ip pool subnets to be routed towards the VPN server inside interface, while keeping the default gateway towards the firewall inside interface.

Hope that helps.

New Member

Re: Adding ASA 5510 as a RAS VPN gateway into the existing netwo

Hi

thanks a lot, it definitely helps. Scenario #1 is perfectly suitable. Just curious, is there any one-interface (DMZ) scenario , like by Connectra ? Should I use different Cisco product for that ? This is just a demo I borrowed.

Cisco Employee

Re: Adding ASA 5510 as a RAS VPN gateway into the existing netwo

It is not recommended to just use 1 interface of the ASA both for VPN termination as well as routing the clear text traffic (more possibility of having asymmetric routing that would be blocked on the ASA). Scenario# 1 would be as easy to configure.

Alternatively, you can use a router for VPN termination if you just want to use 1 interface. But I still think using separate interfaces as scenario#1 would be much neater and more secure.

New Member

Re: Adding ASA 5510 as a RAS VPN gateway into the existing netwo

Thanks a lot !

1576
Views
0
Helpful
6
Replies