There seems to be a lot of talk about setting up the cisco ASA with inside & outside interface. What if the the outside network of your infrastructure is already being manage by another firewall/router, then there is no need for an outside interface.
I would like to config the ASA with just an internal interface connecting to my internal network. External traffic coming into my ASA for SSL VPN/IPsec Remote Access will be routed via the existing network in place. The only other interface that will be used are for HA stateful/Failover.
Is there any issue with this concept? I am replacing a Juniper SA 4500 with ASA 5540 which only uses 1 interface (internal)
This is not an easy one, since we do not have / handle all the details about your network infrastucture.
Nevertheless, let me share my thoughts:
The ASA is supposed to be an inband device, where it has an inside and outside interface. The reason behind this is to protect your assets, since by default, any connection originated from the outside to the inside is not allowed, only from inside-outside. So, what you can do is to connect the "outside" interface of the ASA to the Firewall/Router you mentioned above and the "inside" interface to the local network.
So VPN connections will be landed on the outside interface and the protected networks will be connected to the inside, only reachable through a VPN connection. Let's keep in mind that traffic from outside-inside from a established VPN connection is allowed by default "sysopt connection permit-vpn".
Your right and this was my inital plan but i also I wanted to keep the exiting setup as the Juniper SA with just one interface (inside or outside) which is connecting to a switch which connects to a Firewall. A second interface (inside or outside) would be useless (possible) because as traffic comes in from the the outside it goes through the firewall-DMZ>routes to Juniper SA via switch L3 Vlan, routes back out the same interface to the Firewall-DMZ to the internal network. (Hope that makes sense, I am unable to provide any config as this is a classified network)
The question I really wanted answering is whether this setup would be possible (even though its not the recommended design) and if there would be any configuration issues.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :