Solved: ASA 5510 VPN terminate on inside interface (qos/subinterface issue)

ddavenport-dcc · ‎10-21-2010

Hi All

I'm after a bit of a sanity check here.

I have a situation where I need to implement a VPN between a third party site (A) and one of our
site (B). On our site (B) will be a number of users from the third party organisation with data
and voIP requirements as well as a number of our own users.

We will subnet all 3rd party off and implement a firewall between our users and 3rd party users on site B.

All third party traffic (voice and data) will be transmitted via VPN between sites A and B

My plan was to implement subinterfaces on a physical interface (one as sec=0, one as sec=100).

The plan was then to terminate the third party VPN on the low sec subi-nterface.

Now the dilemma:

I also have to account for VoIP traffic between our site (A) and our HQ.

In order to achieve LLQ I want to set priority queues on the firewall so that this doesn;t become
a bottleneck.

If I implement subinterfaces I can configure a priority queue.

My plan now is to leave the firewall interface as a single physical interface so that I can implement
priority queuing on this interface. Problem is this is an inside interface (sec=100) and I'm a
little uncomfrotable terminaitng the VPN on an inside interface.

What I propose to do therefore is implement an vpn filter policy and apply this to the tunnel
group for the third party. That way I can allow access for the thrid prty only to their subnets

Does this sound like a reasonable way forward

Any advice greatfully received.

Panos Kampanakis · ‎10-21-2010

You can terminate it on any interface. It doesn't really matter.

The filter indeed will enforce access only to resources you want to allow, so you are secure there also.

If of course you want more granularity on who access what (per user basis) then you might need other features (per user downloadable ACL).

I hope it helps.

PK

View solution in original post

Panos Kampanakis · ‎10-21-2010

From what you are saying you want to rate limit traffic from your inside to your 3rd party. You can do that by applying the policy on the tunnel group like you said. So filter traffic based on ip addresses and then police/LLQ it on the interface.

I think it makes sense.

PK

ddavenport-dcc · ‎10-21-2010

Thanks PK,

I guess the other question I'm asking is - any issues terminating VPN on an 'inside' interface? Not something I've done before. I would normally terminate these on a low level security (outside) interface.

Assuming(!) my vpn policy is correct and I'm only allowing traffic from the third party (that traverses the tunnel) access to their specific subnets on site B (the shared site) then I should have no security issues. Am I correct in this assumption? Just makes me a little uncomfortable.

Thanks

PS - I need to add that all this is occuring on a private network with links between parties traversing our internal network (no traffic crossing public networks at any point)

Panos Kampanakis · ‎10-21-2010

You can terminate it on any interface. It doesn't really matter.

The filter indeed will enforce access only to resources you want to allow, so you are secure there also.

If of course you want more granularity on who access what (per user basis) then you might need other features (per user downloadable ACL).

I hope it helps.

PK

ddavenport-dcc · ‎10-22-2010

Thanks PK.

Good advice and I feel alot more confortable now.

Thanks for your help!

Dave

Panos Kampanakis · ‎10-22-2010

I am glad we could help.

Take care,

PK