I'm replacing a VPN3k with ASA that will be performing solely as VPN concentrator located in the DMZ protected by another firewall.
The other firewall is already doing inspection/fixups, so I'm wondering if there's any point in leaving the default service policy in place. I've done some testing both ways and traffic looks to be flowing along just fine in either case.
Also, is there a "best practice" document for using the ASA as a standalone VPN concentrator?
ASA's VPN config doesn't offer much in term of flexibility. All I can offer:
- KISS ;-) don't use features just because the name is nice and shiny ;-)
- be as specific as you can when constructing permit entries for matching VPN, at the same time, try limiting the number of permit entries per ACL. It's a balancing act.
- avoid "deny" statments when creating acccess-lists to match VPN traffic.
- AES is faster than 3DES (although both should be handled by crypto accelerator chip and impact should not be visible)
- If you're using Cisco devices on both sides you might want to consider IKEv2 (faster and more flexible negotiation, less prone to config errors, built in (D)DoS protection to name a few). I'm specifically saying Cisco products since both ASA and IOS are using same toolkit, there are not too many interoperability problems, this might not be the case when trying to work with different vendors.
- (like everywhere) avoid fragmentation, rather than "deal with fragmentation". Make sure your MSS and MTU values are reasonable.
For the rest ASA has a lot of sane defaults, which should work for a lot of setups.
This one is for me.
Marcin, don't assume people are doing IPsec VPN only because you think they do :-)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :