Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
1
Replies

help with Cisco VPN solution implemented on ASA

ngorenko
Level 1
Level 1

‎04-14-2010 09:22 AM

I need help with VPN SSL solution design. My main questions are listed below.

Currently customer has 2 routers as vpn termination devices. One router is used to terminate the customer's employees and the other device terminates the partners session.

The customer would like to use the new SSL VPN solution from Cisco using ASA 5520. Instead of 2 vpn routers (existing solution), the customer would like to use one vpn termination device for three different types of users: employees with full access (SSL VPN with annyconnect client) , 3d parties /partners  with restricted access (SSL VPN with annyconnect client) and one connection to mobile office (Easy IPSec implemented on the cisco router). The authentication of users should be integrated into Active Directory of the customer.

The VPN ASA will be installed behind the firewall. The firewall translate the public ip address into private one.

1 Question: based on the best practice:  what to do with  un-encrypted traffic?  To send it  back to firewall or to connect directly to internal LAN?

2 Question: how to differentiate between employee and partner access since they use the same connection profile?  Is it possible to place them into different VLANs? Can I use only one public address or I need to use two different addresses: one is for employees and one -

for partners?

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎04-14-2010 09:37 AM

1. Best practices is to have the unencrypted traffic go through another DMZ to access internal resources. It can be on the same physical ASA, but it should be a new interface.

2. You can use an ACL to restrict the vendors on where they can go-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents