Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN design problem

Hi there,

I have a little VPN design problem (check the attached JPEG).

example.jpg

I need to set this up so that the VPN users have full access to the public servers. They are protected by the transparent firewall that only allows access to certain ports. The servers has the ISP router as their gateway. This shouldn't be a problem but I'm struggling to wrap my head around this.

I'm thinking the simplest way would be to configure remote VPN like normally and turning off split tunneling. There's no requirement on blocking outgoing traffic so in theory the VPN traffic should go straight to the servers and not bounce in the ISP router since the ASA and the servers are connected to the same switch.

Does this sound reasonable or is the a stupid way to go about it? Any examples on how I can achieve this? The ASA is replacing an old VPN solution that assigns VPN users public IP's in the same range as the servers so I can't really redesign the whole network like I would want.

Thanks for you help.

Everyone's tags (3)
2 REPLIES

Re: VPN design problem

Hi,

You plan to terminate the VPN tunnel on the 5505?

If so, the servers will require a route to send the traffic to the VPN pool range via the ASA (since their default gateway is the ISP router).

The transparent firewall is no problem.

What is your concern here?

Federico.

New Member

Re: VPN design problem

Thanks for your reply.

Yes.

I was thinking that I wouldn't have to since the ASA and the switch are connected to the same switch behind the transparent firewall and they are all in the same subnet. Outgoing traffic was going to be NATed to the public IP on the ASA which is in the same subnet as the servers.Maybe that doesn't work and a static route like you suggested is a better solution.

388
Views
0
Helpful
2
Replies
CreatePlease login to create content