VPN design problem

dan.sellberg · ‎11-07-2010

Hi there,

I have a little VPN design problem (check the attached JPEG).

I need to set this up so that the VPN users have full access to the public servers. They are protected by the transparent firewall that only allows access to certain ports. The servers has the ISP router as their gateway. This shouldn't be a problem but I'm struggling to wrap my head around this.

I'm thinking the simplest way would be to configure remote VPN like normally and turning off split tunneling. There's no requirement on blocking outgoing traffic so in theory the VPN traffic should go straight to the servers and not bounce in the ISP router since the ASA and the servers are connected to the same switch.

Does this sound reasonable or is the a stupid way to go about it? Any examples on how I can achieve this? The ASA is replacing an old VPN solution that assigns VPN users public IP's in the same range as the servers so I can't really redesign the whole network like I would want.

Thanks for you help.

Federico Coto Fajardo · ‎11-07-2010

Hi,

You plan to terminate the VPN tunnel on the 5505?

If so, the servers will require a route to send the traffic to the VPN pool range via the ASA (since their default gateway is the ISP router).

The transparent firewall is no problem.

What is your concern here?

Federico.

dan.sellberg · ‎11-07-2010

Thanks for your reply.

Yes.

I was thinking that I wouldn't have to since the ASA and the switch are connected to the same switch behind the transparent firewall and they are all in the same subnet. Outgoing traffic was going to be NATed to the public IP on the ASA which is in the same subnet as the servers.Maybe that doesn't work and a static route like you suggested is a better solution.