I'm currently terminating a DMVPN on an 1841 connected to our new ISP. We recently purchased an ASA5510 to terminate/replace our IPSEC client VPN on an old ISP. I'm wondering what would be the best practice would be to install? Have the 1841 outward facing with the ASA behind or have the ASA on the outside with the DMVPN router behind that. Please keep in mind that we wil be utilizing the new ISP for everything going forward. Thanks
Can you have the them each on the outside? Meaning that both the ASA and the router have a public IP. The "inside" of the router would be on a DMZ of the ASA. The inside of the ASA would be your internal LAN. This is a pretty standard setup. If you have the ASA in front of the router, you have to poke holes open and pass public IP's. Not impossible, but a pain to troubleshoot. If you have the router first, you'll have unencrypted traffic outside your firewall.
Thanks, I guess I was most concerned with the traffic from the DMVPN (1841) if it was placed behined the ASA. I realize I'll need play ACL boy with this one. I see what you are saying with the interfaces and how they should be configured.
Design being design theirs always multiple aspects and scenario's, all having their benefits\limitations. Personally I would have the DMVPN behind the ASA, the ASA functioning as a single entry point or border firewall (removing the client vpn function) and providing additional access control back to the DMVPN 1841 if needed + adding client vpn functionality (assuming hardware encryption performance needs etc are covered), 1-1 NAT and other aspects are possible so NAT-T etc shouldn't be required, and (it's to some degree) one less major operational head-ache to worry about. Yet considering that the the old\new requirement it may be best to have both in parallel while you transisiton (dependent on how you do your routing), and perhaps consider reducing your footprint and implementing better control mechanisms later. It's a shame the ASA does not support IPSEC in context mode, having an border ASA with both the VPN Client ASA and split DMVPN 1841 being that a more desirable scenario.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...