The way that you have drawn the network having the ASA in front of the VPN router does not changes the design. The ASA does not support GRE tunnels so the GRE tunnels with IPSec will still terminate on the VPN router. The GRE tunnel will pass through the ASA so the ASA will need to have some permit rules that allow the GRE/IPSec traffic to pass through (and it means that the ASA will not be able to inspect the traffic carried through the GRE tunnels). There is an alternative design which would put the VPN router in front of the ASA. This would allow the GRE/IPSec to operate as it has been and would allow the ASA to inspect the traffic after it is de-encapsulated and de-encrypted.
Without knowing more about your network and its requirements, it is difficult to determine which approach would be better.
I have seen implementations which have separate connections to the Internet for VPN and for browsing and I have seen implementations where all traffic uses a single connection to the Internet. So you have changed from one approach to the other. Sometimes that kind of change is made for economic reasons (reduce cost by paying for only a single connection) and sometimes it is made to exert a different control over traffic. It is not clear why you made the change but it suggests that you may have made the change to be better able to examine and secure your Internet traffic.
So there are 2 designs to consider. In one design (as you currently have it) the router processing GRE/IPSec is behind the ASA and in the other design the router processing GRE/IPSec is in front of the ASA. In the first design the ASA connects directly to the Internet and in the second design the ASA connects to the GRE/IPSec router which connects to the Internet.
It is not possible to say abstractly that one design is better than the other. The choice of best design depends on what you are trying to accomplish. And only someone familiar with your network and your requirements can make that judgement.
In the design that you show the ASA must allow the GRE/IPSec traffic to pass through but is not able to examine the user traffic contained in the GRE/IPSec packets. In the other design where the GRE/IPSec router is in front of the ASA then the user traffic will be unencrypted by the time it gets to the ASA and the ASA will be able to examine the user traffic.
I have a customer who uses your design where the GRE/IPSec router is behind the firewall. Their judgement is that they treat the VPN users just like they treat users who are inside the corporate network (if the internal users does not have to pass through a firewall they do not require the remote user to pass through the firewall). I have another customer who uses the other design in which the GRE/IPSec router is in front of the firewall. They position is that they want the firewall to examine "all" traffic coming in from the Internet.
So what is the position of your organization? Is it important for the ASA to examine "all" traffic coming in from the Internet or should the remote users have unrestricted access to your network? Once you answer that question then you will determine which design is better for your organization.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...