I am looking to use an ASA 5510 as a VPN device only (similar to the old VPN Concentrator) We already have an ASA5510 acting as a firewall to the internet from our central office. We also have a MPLS network to 7 other locations, and they all go through the Central Office for internet access. I will have VPN client users, and site to site VPNs connecting to the CO, and will need to access hosts in other sites in the MPLS network, as well as hosts in the CO. I am confused on where I should place my VPN ASA. I was thinking that I should put it at the same level of my Firewall ASA, but then I am not sure what I need to use as far as routing to make sure my traffic is able to flow properly. It would not let me post an attachment, so here is a link of the CO and MPLS general setup.
We have a similar scenario and we run our VPN device in parallel to our firewall.
So that I understand what you are trying to accomplish - you stated you will have site to site VPNs connecting to this ASA dedicated to VPN. Will those L2L tunnels act as backup routes to your primary MPLS network or will they service sites separate from your MPLS network?
Cisco's suggested way is to have the outside interface on the public network, the inside interface connect to the dmz interface of the CORP firewall. I've attached a diagram. Also here is the SRND for security (best practices).
He is using an ASA as his VPN device therefore, I would think that placing the ASA(for VPN usage) in parallel with his corporate firewall would be fine verses placing his ASA's (for VPN usage) inside interface on the DMZ segment of his corporate firewall ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...