cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1635
Views
7
Helpful
6
Replies

ASA 5510 behind another firewall

keddans
Level 1
Level 1

Hello,

I have purchased CISCO ASA 5510 for Clientless VPN use. This device will be behind Watchguard appliance.

Please provide or point how to configure.

Thanks,

Krishna

6 Replies 6

Hi,

If the ASA sits behind another firewall in order to allow clientless SSL you need to open TCP 443 (SSL).

You might also want to open for example TCP 22 (SSH) to administer the ASA.

Federico.

Please provide basic configuration for ASA box as well. (since its connected only inside what configuration should be for inside and outside interfaces?)

Thanks

Unfortunately you have not provide more information as to give you more details on the configuration needed.

In general terms to allow the ASA to work behind another firewall (not sure why you're having this setup), you are required to open in the Watchguard:

TCP 443 for Clientless VPN

TCP 22 for SSH access

The Watchguard should redirect the above ports to the ASA's outside IP.

In this way, when the Watchguard receives the VPN or SSH traffic, it will redirect it to the ASA's outside IP (assuming the ASA has a private IP and is not reachable directly from the Internet).

Again... it depends heaviliy on your network setup and needs.

Federico.

Krishna,

If you would like to provide more information I am sure that either me or somebody else will be able to help you out with this.


Federico.

Federico,

Thank you for responding to my queries.

I have purchased this ASA 5510 basically for clientless VPN access to our network due to some of our remote users are at customer's location where they cannot install IPSec client or SSL VPN client. Watchguard unfortunately it doesn’t support clientless VPN. Hence the purchase of ASA box.

I need all configuration help right from dropping this baby in the network to having remote users connecting to our Network. I will open those ports you have mentioned in Watchguard. Yes, Watchguard will NAT public to private IP of ASA box.

So help me.

Thanks

Krishna,

Why double layer protection?

If I were you I'd replace the watchdog with the ASA.  Deploy the watchdog on another location.

If you need this double protection then you need to connect the LAN off the switch to the ASA so, your topology looks like this.

Internet--Router--Watchdog--Cisco3750--ASA--Router--switch--Inside hosts.

Regarding VPN configuration - pls. spin up a new thead under the VPN community.

Also, pls. provide specific problem and ask for assitance.  I want this unit configured and dropped in the network is a very wide problem desctiption.  We have no idea what help you need. interface config, nat, acl, routing, aaa, vpn or what?

Also, make sure to spin a new thread with a clear problem desciption and title for each new problem. Like for example you have trouble with the inside hosts reaching the internet you should provide topology and specify the clear probelm desctiption. I have such and such inside network and I need assitance with configuring translation etc.

You can watch my Webcast: http://www.youtube.com/watch?v=kRY8DuaRp5U

I go over initial config of the firewall to get inside clients out to the internet. simple easy steps.

-KS

Review Cisco Networking for a $25 gift card