Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Placement for VPN

I am looking to use an ASA 5510 as a VPN device only (similar to the old VPN Concentrator) We already have an ASA5510 acting as a firewall to the internet from our central office. We also have a MPLS network to 7 other locations, and they all go through the Central Office for internet access. I will have VPN client users, and site to site VPNs connecting to the CO, and will need to access hosts in other sites in the MPLS network, as well as hosts in the CO. I am confused on where I should place my VPN ASA. I was thinking that I should put it at the same level of my Firewall ASA, but then I am not sure what I need to use as far as routing to make sure my traffic is able to flow properly. It would not let me post an attachment, so here is a link of the CO and MPLS general setup.

http://www.asicorp.us/ciscolayout.jpg

Any insight would be greatly appreciated.

6 REPLIES
New Member

Re: ASA 5510 Placement for VPN

We have a similar scenario and we run our VPN device in parallel to our firewall.

So that I understand what you are trying to accomplish - you stated you will have site to site VPNs connecting to this ASA dedicated to VPN. Will those L2L tunnels act as backup routes to your primary MPLS network or will they service sites separate from your MPLS network?

Anonymous
N/A

Re: ASA 5510 Placement for VPN

Re: ASA 5510 Placement for VPN

Cisco's suggested way is to have the outside interface on the public network, the inside interface connect to the dmz interface of the CORP firewall. I've attached a diagram. Also here is the SRND for security (best practices).

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html

New Member

Re: ASA 5510 Placement for VPN

Hi,

He is using an ASA as his VPN device therefore, I would think that placing the ASA(for VPN usage) in parallel with his corporate firewall would be fine verses placing his ASA's (for VPN usage) inside interface on the DMZ segment of his corporate firewall ASA.

Regards,

Amir

Re: ASA 5510 Placement for VPN

It's for security reasons. Read the SRND or talk to a Cisco SE and this is their preferred way. It's the way deploy them as well.

Anonymous
N/A

Re: ASA 5510 Placement for VPN

787
Views
0
Helpful
6
Replies