cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
4
Helpful
5
Replies

simple ASA question re: firewall & VPN's

jkoven
Level 4
Level 4

i'm going to be replacing my PIX's & Concentrator soon. Since they are separate boxes, they have separate public IP's. when i consolidate them down to an ASA 5520, should i use multiple interfaces for the public side or can i get away with just using 1? i need the VPN portion to terminate lan-2-lan tunnels as well as ipsec remote access. the firewall side is going to provide internet access for my users as well as NAT some devices. thanks

5 Replies 5

suschoud
Cisco Employee
Cisco Employee

when i consolidate them down to an ASA 5520, should i use multiple interfaces for the public side or can i get away with just using 1?

You requirments can let you get away with this.Just setup one interface with public range.You can simultaneously terminate lan-2-lan as well as remote access tunnels.

Do rate helpful posts.

Regards,

Sushil

I think you are making a mistake by combining

Firewall and VPN into a single device. By

combining these two functions into a single

device, you're increasing the complexities

of the configuration and that it will take

longer to troubleshoot issues and it could

take down your network altogether.

The current configuration you have with the

firewall function as firewall and VPN

concentrator fuctions as VPN terminating

end-point is the classic design for most

corporate enterprise environments.

What is your reason for combining these two

functions into a single device? VPNc is going

end of life?

thanks for your help.

both the concentrator and the pix's are going end of life. the concentrator has been failing recently.

i "assumed" that a scenario with dual ASA's in failover mode, along with the using the IPS module (in order ot get rid of my IDS 4215's) would be sufficient as border security design.

Do you feel that the UTM idea is not a sound one?

I see his point about configuration complexities with using a single design and the potentially more difficult troubleshooting in case you run into a problem. I will say that I just completed the same consolidation you're working on (PIX FW + VPNc to a dual ASA active/passive fail over), and I have so far had no problems with it. You get a MUCH higher VPN throughput with the ASA then the concentrator, and you can set up anyconnect on the ASA if you choose. I also like the ASA interface (both the ASDM and CLI) MUCH better then the concentrator (I get really frustrated that there is no cli in the vpnc).

I also had the same dilemma as you about going with a single outside interface or going with two, and I ended up going with a single interface. At this point I have several HW easyvpn clients, L2L and anyconnect VPN set up and it's working out great so far....really happy to be off that VPNc as you can probably tell. :)

"Do you feel that the UTM idea is not a sound one?"

UTM only works if you have simple site.

As far as the comparison between ASA and VPNc

is concern, I like VPNc much better than ASA

in terms of VPN configuration, especially with

complex NAT inside the VPN tunnels. It is a

shame that Cisco stops making VPNc.

"and I have so far had no problems with it"

Wait until you have to configure complex VPN

with complex NAT. Then you wish you had not

consolidated FW and VPN into a single device.

my 2c

Review Cisco Networking for a $25 gift card