Hello, trying to figure out a good design for connecting multiple partners to our network. I currently have allocated to the task one router and one ASA5510. Having problems with my initial design concept and am looking for guidance on a new one.
The problem is this. We will need to connect to each partner via a different IPSec tunnel using pre-shared keys, each vendor might have different requirements for their tunnel, such as encryption type, etc. Each partner will then need to be ACL'd off to only allow access to those resources they've been approved for, or to allow our employees access to resources on their network(s). To one partner we might be able to just do simple PAT, allow all of our internal hosts to connect with a few of their hosts and share one outbound IP address. Another partner might require that we not use our internal RFC 1918 addresses, but instead provide them with public IP addresses and NAT them to our internal servers IP addresses.
I was thinking of using VLANS on the ASA and terminating each tunnel on a separate VLAN interface. But then while each partner would get its own "outside" interface for NAT, they would be sharing an "inside" interface.
Pretty new at this, looking for the best way to go on it. Any suggestions and/or configuration examples would be greatly appreciated!
Hmm... We already have something similar to this for our client based VPN solution. Maybe I wasn't clear enough that this is a site-to-site VPN I'm working on now. So these partners will be connected 24x7 and will not have distinct client sessions that I can apply a policy to.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...