cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1468
Views
0
Helpful
3
Replies

ASA As a Standalone VPN Concentrator

terrygwazdosky
Level 1
Level 1

I'm replacing a VPN3k with ASA that will be performing solely as VPN concentrator located in the DMZ protected by another firewall.

The other firewall is already doing inspection/fixups, so I'm wondering if there's any point in leaving the default service policy in place.  I've done some testing both ways and traffic looks to be flowing along just fine in either case.

Also, is there a "best practice" document for using the ASA as a standalone VPN concentrator?

Thanks.

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Terry,

Indeed, if you're not planning to do NAT or filtering on that ASA it's fair to assume all inspections can go.

What sort of best practices were you looking for? I'm not aware of such document (as opposed to saying that it does not exist).

View solution in original post

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Terry,

Indeed, if you're not planning to do NAT or filtering on that ASA it's fair to assume all inspections can go.

What sort of best practices were you looking for? I'm not aware of such document (as opposed to saying that it does not exist).

Marcin:

I'm not looking for anything specific.  I just like to compare my configs to best practice documents if they exist.

Thank you.

Terry,

ASA's VPN config doesn't offer much in term of flexibility. All I can offer:

- KISS ;-) don't use features just because the name is nice and shiny ;-)

- be as specific as you can when constructing permit entries for matching VPN, at the same time, try limiting the number of permit entries per ACL. It's a balancing act.

- avoid "deny" statments when creating acccess-lists to match VPN traffic.

- AES is faster than 3DES (although both should be handled by crypto accelerator chip and impact should not be visible)

- If you're using Cisco devices on both sides you might want to consider IKEv2 (faster and more flexible negotiation, less prone to config errors, built in (D)DoS protection to name a few). I'm specifically saying Cisco products since both ASA and IOS are using same toolkit, there are not too many interoperability problems, this might not be the case when trying to work with different vendors.

- (like everywhere) avoid fragmentation, rather than "deal with fragmentation". Make sure your MSS and MTU values are reasonable.

For the rest ASA has a lot of sane defaults, which should work for a lot of setups.

Marcin

edit:

This one is for me.

Marcin, don't assume people are doing IPsec VPN only because you think they do :-)

Terry, is it only IPsec or also webvpn?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: