Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA As a Standalone VPN Concentrator

I'm replacing a VPN3k with ASA that will be performing solely as VPN concentrator located in the DMZ protected by another firewall.

The other firewall is already doing inspection/fixups, so I'm wondering if there's any point in leaving the default service policy in place.  I've done some testing both ways and traffic looks to be flowing along just fine in either case.

Also, is there a "best practice" document for using the ASA as a standalone VPN concentrator?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA As a Standalone VPN Concentrator

Terry,

Indeed, if you're not planning to do NAT or filtering on that ASA it's fair to assume all inspections can go.

What sort of best practices were you looking for? I'm not aware of such document (as opposed to saying that it does not exist).

3 REPLIES
Cisco Employee

ASA As a Standalone VPN Concentrator

Terry,

Indeed, if you're not planning to do NAT or filtering on that ASA it's fair to assume all inspections can go.

What sort of best practices were you looking for? I'm not aware of such document (as opposed to saying that it does not exist).

New Member

ASA As a Standalone VPN Concentrator

Marcin:

I'm not looking for anything specific.  I just like to compare my configs to best practice documents if they exist.

Thank you.

Cisco Employee

Re: ASA As a Standalone VPN Concentrator

Terry,

ASA's VPN config doesn't offer much in term of flexibility. All I can offer:

- KISS ;-) don't use features just because the name is nice and shiny ;-)

- be as specific as you can when constructing permit entries for matching VPN, at the same time, try limiting the number of permit entries per ACL. It's a balancing act.

- avoid "deny" statments when creating acccess-lists to match VPN traffic.

- AES is faster than 3DES (although both should be handled by crypto accelerator chip and impact should not be visible)

- If you're using Cisco devices on both sides you might want to consider IKEv2 (faster and more flexible negotiation, less prone to config errors, built in (D)DoS protection to name a few). I'm specifically saying Cisco products since both ASA and IOS are using same toolkit, there are not too many interoperability problems, this might not be the case when trying to work with different vendors.

- (like everywhere) avoid fragmentation, rather than "deal with fragmentation". Make sure your MSS and MTU values are reasonable.

For the rest ASA has a lot of sane defaults, which should work for a lot of setups.

Marcin

edit:

This one is for me.

Marcin, don't assume people are doing IPsec VPN only because you think they do :-)

Terry, is it only IPsec or also webvpn?

410
Views
0
Helpful
3
Replies
CreatePlease login to create content