Solved: Re: Unsure 'where' to place ASA 5505 in my existing network

cclarkacs · ‎03-03-2011

I have a fairly stable network set up at my HQ and duplicated in design at my major branch office. Basically, I have a 2811 router acting as firewall, router and IPSEC vpn endpoint for software and hardware clients. I have about a dozen traveling employees and 3 teleworker or small remote offices utilizing the IPSEC VPN functions.

I have never been able to get SSLVPN working properly on the 2811 and I'm unwilling to mess with the configuration significantly so as to make it work. I have an ASA 5505 that I would like to use for VPN functions, particularly to serve 64-bit Windows 7 clients for whom there is no IPSEC client.

My question is, where to I place the ASA in the network and how do I configure the adressing?

Option 1) Place the ASA and 2811 at the same level, plugged into a switch that is plugged in the ISP. I have spare IP addresses from the ISP but I am reluctant to place another switch between the ISP ethernet handoff and my 2811 & ASA. Inside interfaces would both be on the same LAN subnet. Not sure if the ASA does automatic route sharing, otherwise I'll configure static routes.

Option 2) Place the ASA behind the 2811 and NAT/port forward VPN requests to it. This is minimally invasive to my existing setup, however the subnetting and IP addressing will get messy because for the ASA the inside interface, outside interface and resources people need to reach are all on the same subnet.

Option 3) ???

I need some guidance here. Thanks!

manish arora · ‎03-03-2011

You can use the following client vpnclient-winx64-msi-5.0.07.0290-k9.exe for 64 bit windows 7 and vista.regarding your questions :-

Option 1) Place the ASA and 2811 at the same level, plugged into a switch that is plugged in the ISP. I have spare IP addresses from the ISP but I am reluctant to place another switch between the ISP ethernet handoff and my 2811 & ASA. Inside interfaces would both be on the same LAN subnet. Not sure if the ASA does automatic route sharing, otherwise I'll configure static routes.

--> This is an option but will have it's own deamons with asysmetric routing etc . A good design is always the one that is not complex. I would say it's better to get another subnet from the isp and have them route it outside router ip , then connect the firewall and router with that subnet , do everything on the ASA from vpn , nat & ofcourse firewalling.

Option 2) Place the ASA behind the 2811 and NAT/port forward VPN requests to it. This is minimally invasive to my existing setup, however the subnetting and IP addressing will get messy because for the ASA the inside interface, outside interface and resources people need to reach are all on the same subnet.

--> This will have issues when you will NAT the vpn packets ( i have seen it's issues first hand with site to site vpn packets as the hash for the packets changes when they are NATTED and fails the isakmp phase ).

Option 3) ?? --> since it's a ethernet handoff from the ISP , i would rather replace both the router and asa 5505 with a better version of ASA .. like a 5510 or 5520.Also if i could get hsrp links from the isp , i will configure the asa as active/active or active/standby pair.

for downloading the 64 bit version of the client, you will Smartnet contract i think , if you don't have a contract then use opensource like Shrewsoft vpn clinet. I like shrewsoft but in an enterprise , the security polices might want you use the cisco client only.

Manish

View solution in original post

manish arora · ‎03-03-2011

You can use the following client vpnclient-winx64-msi-5.0.07.0290-k9.exe for 64 bit windows 7 and vista.regarding your questions :-

Option 1) Place the ASA and 2811 at the same level, plugged into a switch that is plugged in the ISP. I have spare IP addresses from the ISP but I am reluctant to place another switch between the ISP ethernet handoff and my 2811 & ASA. Inside interfaces would both be on the same LAN subnet. Not sure if the ASA does automatic route sharing, otherwise I'll configure static routes.

--> This is an option but will have it's own deamons with asysmetric routing etc . A good design is always the one that is not complex. I would say it's better to get another subnet from the isp and have them route it outside router ip , then connect the firewall and router with that subnet , do everything on the ASA from vpn , nat & ofcourse firewalling.

Option 2) Place the ASA behind the 2811 and NAT/port forward VPN requests to it. This is minimally invasive to my existing setup, however the subnetting and IP addressing will get messy because for the ASA the inside interface, outside interface and resources people need to reach are all on the same subnet.

--> This will have issues when you will NAT the vpn packets ( i have seen it's issues first hand with site to site vpn packets as the hash for the packets changes when they are NATTED and fails the isakmp phase ).

Option 3) ?? --> since it's a ethernet handoff from the ISP , i would rather replace both the router and asa 5505 with a better version of ASA .. like a 5510 or 5520.Also if i could get hsrp links from the isp , i will configure the asa as active/active or active/standby pair.

for downloading the 64 bit version of the client, you will Smartnet contract i think , if you don't have a contract then use opensource like Shrewsoft vpn clinet. I like shrewsoft but in an enterprise , the security polices might want you use the cisco client only.

Manish

cclarkacs · ‎03-03-2011

Thanks for the tips! There's actually an x64 vpnclient now? One wouldn't know that by browsing the website! As usual, Cisco's documentation and product pages are lagging, and lacking. It would also seem that the x64 version is a few version increments behind, which makes me question how much longer it will be maintained.

I do have smartnet so I'll be testing that client out.

I agree with your suggestion to eventually replace the two devices with a more robust single device. In fact that's what the 2811 accomplished several years ago. But as time goes on its config got messy and unmanageable (unsupported) from the GUI tools and adding one feature usually broke another. Other than that its reliable and trustworthy. I am also making use of an additional ethernet HWIC for the MPLS handoff, I'm not sure how things like that are handled on the more sophisticated ASA models...