Is this how my VPN should work? (ASA and 877 router)
I have a Cisco ASA 5520 which has a remote VPN connected to it from a Cisco 877 which is just on a DSL line.
I have allowed 3 subnets through the VPN via the SA's. When the VPN the ASA says there is 1 IKE tunnel up and 3 IPSec tunnels, which I assuem are these 3 subnets that the remote users need.
Is this how it should or can/should it say 1 IKE tunnel and 1 IPSec tunnel.
The thing that worries me is I'm going to add many more VPN's and read this:
"Each ACE creaes 2 unidirectional IPSec SA's. If you have 100 entries in your ACL, then the ASA will create 200 IPSec SA's. Using host-based crypto ACE's is not recommended because Cisco ASA uses system resources to maintain the SA's which may affect system performance."
Re: Is this how my VPN should work? (ASA and 877 router)
Thanks for clearing up my understanding.
1.) The thing is I'm not sure how much the ASA 5520 can handle? I currently have all the VPN's and Cisco client VPN's going through my Cisco 3015.
These are 10 site-to-site VPN's which are on DSL lines (cisco 877's) which have about 10 users on each accessing about 10 subnets on each.
2.) Also for my understanding the SA's I have configured for the crypto are the protected networks it's seems the networks can talk to each other no problems, it seems I don't need to tell the remote router what ports I need to open. Once the are in the SA's I take they are trusted nd have full access?
3.) Beacuse the VPN's to the ASA are protected networks are they seen on the ASA as on the inside interface or outside?
2) If you don't specify an access-list on the interface then it will allow what you have specified in the crypto access-list. You can lock this down by specifying a more specific access-list than the crypto acccess-list and applying this to the outside interface. You still need the crpyto access-list.
3) Not sure what you mean. The ASA knows the VPN are accesible from it's outside interface down a tunnel.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...