Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA - Inside Interface

There seems to be a lot of talk about setting up the cisco ASA with inside & outside interface. What if the the outside network of your infrastructure is already being manage by another firewall/router, then there is no need for an outside interface.

I would like to config the ASA with just an internal interface connecting to my internal network. External traffic coming into my ASA for SSL VPN/IPsec Remote Access will be routed via the existing network in place. The only other interface that will be used are for HA stateful/Failover.

Is there any issue with this concept? I am replacing a Juniper SA 4500 with ASA 5540 which only uses 1 interface (internal)

Your responses would be much appreciated.

3 REPLIES

Cisco ASA - Inside Interface

Hello Ricardo,

This is not an easy one, since we do not have / handle all the details about your network infrastucture.

Nevertheless, let me share my thoughts:

The ASA is supposed to be an inband device, where it has an inside and outside interface. The reason behind this is to protect your assets, since by default, any connection originated from the outside to the inside is not allowed, only from inside-outside. So, what you can do is to connect the "outside" interface of the ASA to the Firewall/Router you mentioned above and the "inside" interface to the local network.

So VPN connections will be landed on the outside interface and the protected networks will be connected to the inside, only reachable through a VPN connection. Let's keep in mind that traffic from outside-inside from a established VPN connection is allowed by default "sysopt connection permit-vpn".

HTH.

- Javier

New Member

Cisco ASA - Inside Interface

Javier,

Thanks for your prompt response.

Your right and this was my inital plan but i also I wanted to keep the exiting setup as the Juniper SA with just one interface (inside or outside) which is connecting to a switch which connects to a Firewall. A second interface (inside or outside) would be useless (possible) because as traffic comes in from the the outside it goes through the firewall-DMZ>routes to Juniper SA via switch L3 Vlan, routes back out the same interface to the Firewall-DMZ to the internal network. (Hope that makes sense, I am unable to provide any config as this is a classified network)

The question I really wanted answering is whether this setup would be possible (even though its not the recommended design) and if there would be any configuration issues.

Thanks in advance.

Re: Cisco ASA - Inside Interface

Ricardo,

It should work, just make sure to add the rules to allow communication between the networks connected to the same interface of the ASA.

The concept of an inside and outside interface is a common design, but in the end, it really depends on your network infrastructure,

HTH.

Message was edited by: Javier Portuguez

589
Views
0
Helpful
3
Replies
CreatePlease to create content