Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
5
Replies

VPN Design Solution

Joe Lee
Level 1
Level 1

‎09-09-2011 08:56 AM - edited ‎03-04-2019 01:33 PM

Hello,

We are planing to design VPN solution, but we're unsure what would be the best approach where to install the VPN router based on the security/performance. Our goal is to have the router handles about 100 site to site VPN tunnels, and firewall handles non VPN traffices.I have attached three scenarios. One is to connect the router to the outside interface on the firewall and the other interface of the router is connected to the inside interface of the firewall, Second scenario is to connect the router to the DMZ interface on the firewall and the other interface of the router is connected to the inside interface of the firewall. Third scenario is to connect the interface of the router to DMZ on the firewall. Can someon tell us which method is better? or are there any options I am not seeing? More details is better.

Regards,

Joe

Labels:
Preview file
27 KB
0 Helpful
5 Replies 5

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-09-2011 09:39 AM

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Any of those noted will work.  Generally, deciding which to use depends on how paranoid you are about security.

Personally, I prefer your first option as it doesn't add to the load of the firewall, nor add firewall latency to the VPN traffic, nor involve the possible modification to firewall rules as remote spokes change or you decide to use a different VPN protocol.

0 Helpful

Joe Lee
Level 1
Level 1
In response to Joseph W. Doherty

‎09-19-2011 01:32 PM

Hi,

If we accordingly install the outside and inside interfaces on the VPN router to the outside and DMZ interfaces on the firewall. Can the multicast traffic by pass the DMZ interface on the ASA to the inside of the network?

Thanks,

Joe

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to Joe Lee

‎09-19-2011 02:35 PM

As Joseph mentioned all of them will work, If you concerned about firewall load and utilization you can go with the first one

If you are more concerned about security then the third one is more secure by using one interface of the router in the DMZ which is called VPN on stick this way younwill be able to inspect and filter encrypted and the decrypted VPN traffic

Also the other option you mentioned is good from security point of view where you put one interface to the outside of the firewall where the VPN tunnels terminate and put the inside router interface in the DMZ where the decrypted VPN traffic will flow going through the firewall DMZ interface then to the inside

For multicasting ifnyou have a router inside you can run gre tunnel for multicast traffic from the DMZ router interface to the inside router interface

Or you can look as which Asa version thatnsupport pim for multicast

Hope this help

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Joe Lee

‎09-19-2011 02:46 PM

Joe

The suggestion to connect the outside of the router to the same subnet as the outside ASA and the inside interface of the router to the ASA DMZ isn't in your original designs although it is generally the one i would recommend. Having the outside interface of the router in parallel with the ASA removes any NAT issues by having to go through the ASA first.

Having the inside interface of the router on a DMZ then allows you filter the traffic after it has been decrypted.

With this setup it is important to lock down the outside router interface to only allow IPSEC connections.

The problem you have is whether the firewall supports passing multicast traffic. If it's an ASA in routed mode then it doesn't ( ** see below) so the solutions are -

1) run the ASA in transparent mode but i suspect this would mess up the whole topology

or

2) create a GRE tunnel from the inside router interface through the ASA to a L3 device on the inside. Unfortunately if your device is a L3 switch ie. no router, then there is a strong possibility it will not support GRE tunnels (from memory i think 6500s do but not sure).  Even if you could use GRE tunnel this is not necessarily a good choice because anything inside the GRE tunnel cannot be statefully checked by the firewall.

Really not keen on the first option because if the router is compromised then you have basically bypassed the firewall. Also if any of the remote sites are compromised then they have a direct path to your internal LAN.

The second option allows you to protect the outside interface of the router so you can control who can connect via IPSEC and if there is a bug in the IOS on the router there is some protection. You could then filter the traffic with an outbound acl on the inside interface of the router but this is not stateful (unless you were prepared to run stateful firewalling on the router).  A lot depends on how much you trust the traffic being sent down the IPSEC tunnels.

The third option is probably the most secure because you can apply stateful firewalling to the decrypted traffic. Again whether or not you need to do this really depends on just how comfortable you are with the trustworthiness of the IPSEC traffic.

A final option would be if you had another interface on the ASA that you could use for another DMZ for the inside interface of the router but you may not and it may be wasting an interface you need further on.

So to summarise, if you didn't need to pass any multicast traffic i would go with router outside parallel to ASA outside (same subnet) and router inside on DMZ. If you do need to pass multicast then perhaps the 3rd option or if you really do trust the IPSEC connections the 2nd option..

** Edit - as noted by Marwan the ASA will support multicast routing but this may not be what you need. But even if it did IPSEC tunnels will not pass the mulitcast traffic anyway. For that you need to run IPSEC within GRE so you would need your tunnels to the router to be using GRE, something like DMVPN.

** Edit 2 - sorry Joe. You could actually run PIM on the ASA and have the inside interface of the router on a DMZ and the outside parallel to the ASA firewall. This may be the best solution but it would need testing as i have never done this before.

Jon

0 Helpful

Joe Lee
Level 1
Level 1
In response to Jon Marshall

‎09-20-2011 08:11 AM

Thank you Jon and  Marwan!

I am look for the hardware for the VPN router. Current we have about 100 site-to-site VPN with lots ACLs. I am thinking to have ASR 1004, but I am not sure if 7600 series is better fit. any idea?

0 Helpful
Customers Also Viewed These Support Documents