Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA configuration

Hi

This is my first post here I hope this will be helpful

I have network that is look like the attached image and also there is a remote branches that will be connected using tunnels and will be controlled by router

My question is how should I configure ASA 5525-x with firepower module and where to place it I mean is it placed in right position now and for your information it should handle ssl client & clientless vpn with any connect how should I configure it to filter the traffic from the router and terminate vpn connection at the same time should I connect the ASA to the router and to the ISP

I hope you’ll answer me as soon as possible

I’ll appreciate your help

8 REPLIES
Bronze

Hi

Hi

ASAs placed in the right place if you peer with your ISP and have own AS and address block. But if you do not have these, so I think routers are just useless - you could connect ASAs directly to ISP.

Configuration should be done based on your needs. To filter traffic from the router you need just to name external ASA interfaces as 'outside' and internal as 'inside'. After this no traffic will be allowed from outside to inside (unless you permit it via ACL or NAT).

Also good practice is to create separate DMZ for application servers which must be accessible from Internet.

New Member

(optional) If you don't want

(optional) If you don't want to name your interfaces like this  you can set the security level manually (because security level gets set automatically if you use the names that duke stated)

As duke said it depends on how your ISP connect looks like if your design is proper or not.

Having said you terminate the branch vpns on the router you could also terminate those vpns on the asa as well.

New Member

thank you my friends (duke &

thank you my friends (duke & andreas) i understand your suggestions and i know  what can i do with ASA but the problem is i can't change the design because as i said i use router for dmvpn connections which will be with remote sites and the ASA is already placed after the router like you saw now i need to make the ASA work as vpn terminal (ssl vpn ) and i think with that i need public ip at the same time i need the ASA to filter the traffic that comes from the router to the inside network so my question is how can i configure the ASA to do both needs without changing the design or removing the router 

Bronze

May be looks terrible.. but

May be looks terrible.. but however :)

Why this way.. I tasked in my job to avoid any possible single points of failure, so ASAs need redundant stateful failover link, I do it as port-channel. Then I connect this link via separate switch to avoid split-brain scenarios (when bot ASAs would get folink down). Every ASA also connected by inside and outside interfaces to different switches.

Yes. I think you will need additional IP address(es) from your ISPs. I would not connect ASAs between edge routers and LAN switches, because not all the traffic between DMVPN cloud and LAN is even needed on ASA. But you will still have the ability for your VPN clients on ASA get resources on your LAN and DMVPN cloud - just ocnfigure routing the right way.

Also I would recommend to configure ASAs as Active/Active failover with multiple contexts. Maybe you do not need this right now, but you will need it later and you won't do it now, later migration will be painful.

Good luck!

New Member

Hi Duke

Hi Duke

I know your design and i've used it in another network and it's good for filtering traffic between inside network and let say DMZ network that connected to the ASA but the traffic that comes from the router still out of the line and I know you mean that itdoesn't need filtering because of the tunnel and it's encryption but as I say to you for me it's important to filter that traffic as well as making client SSL VPN that's what i need to do

New Member

Hi Don,

Hi Don,

To terminate VPNs you dont need to have public IPs in general (meaning you can terminate VPNs on any IP you want), you could also choose to do some NAT/PAT on the routers for the ports you need for the VPNs.

But depending on how much your ISP will charge you for a small public IP range (which you can then use in the area between the Internet routers and the firewalls) it would be worth the extra money to have cleaner and more scalable setup.

For my personal preference i would not choose to have unprotected routing/switching between Internet(outside) and the Corporate(inside) like duke mentioned. It doesnt hurt to have traffic over the ASA which dont need to be filtered, but in case you have the need for that later you can just kick out the any rule (like for the remote brances) and put in some proper rules.

Not every traffic from your branches is good and its much easier to gain access to a remote branch in comparsion to a datacenter or headquater building so you gotta protect yourself :-) (#safernetworking).  

Additionaly with the ASA in the traffic flow you can gather statistics about top talkers and protocol distribution and so on which comes in handy in case you have to troubleshoot.

Sure you have to check if the throughput of the ASA meets the requirements of your traffic.

New Member

Hi Andreas

Hi Andreas

do you mean ssl vpn can be configured using private IPs can you explain to me how the outside user can reach the ASA because i can give my ASA public ip but that will be achieved by bypassing the router and give a direct link from the ISP to the ASA 

and if i do that doesn't that will make another routing problem because i want any user from inside network go to the internet through the router if the ASA has an interface with public IP doesn't that will make any conflict?

New Member

Hi Don,

Hi Don,

of course you can not use private ip address to Access the vpn from the Client in the Internet but as I said you can do Destination NAT on your Edge Routers, so you can use the public IP of the router for the clients to connect to the vpn, and NAT the packet to the private IP of the ASA.

288
Views
15
Helpful
8
Replies
CreatePlease login to create content