Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

help with Cisco VPN solution implemented on ASA

I need help with VPN SSL solution design. My main questions are listed below.

Currently customer has 2 routers as vpn termination devices. One router is used to terminate the customer's employees and the other device terminates the partners session.

The customer would like to use the new SSL VPN solution from Cisco using ASA 5520. Instead of 2 vpn routers (existing solution), the customer would like to use one vpn termination device for three different types of users: employees with full access (SSL VPN with annyconnect client) , 3d parties /partners  with restricted access (SSL VPN with annyconnect client) and one connection to mobile office (Easy IPSec implemented on the cisco router). The authentication of users should be integrated into Active Directory of the customer.

The VPN ASA will be installed behind the firewall. The firewall translate the public ip address into private one.

1 Question: based on the best practice:  what to do with  un-encrypted traffic?  To send it  back to firewall or to connect directly to internal LAN?

2 Question: how to differentiate between employee and partner access since they use the same connection profile?  Is it possible to place them into different VLANs? Can I use only one public address or I need to use two different addresses: one is for employees and one -

for partners?

Everyone's tags (2)

Re: help with Cisco VPN solution implemented on ASA

1. Best practices is to have the unencrypted traffic go through another DMZ to access internal resources. It can be on the same physical ASA, but it should be a new interface.

2. You can use an ACL to restrict the vendors on where they can go-

Hope that helps.