cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
919
Views
3
Helpful
4
Replies

When should you create a dedicated VPN ASA instead of combined Firewall/VPN ASA?

steveransome
Level 1
Level 1

Hi,

Just a quick query really, I've installed a fair few ASA's over the years, but mainly for small to medium businesses as both a firewall and VPN concentrator, which in general I would have assumed to be the norm.

I'm currently reading through the CCNP Security VPN cert guide and it states that "the most popular design is to place the VPN appliance into it's own DMZ, allowing for greater scale and ease of management" which is fair enough.

I was assuming this to just be a logical demarcation on the same physical appliance, but it then goes on to say "if you are designing the topology for a small to medium business network, you have the possibility of collapsing the two roles into the same physical device" which would lead me to think that the recommendation would be to purchase two ASAs one as dedicated VPN Concentrator and another as a Firewall.

My question is two fold perhaps separating real world from academic. Has anyone/does anyone implement this solution with ASAs? especially if one device will technically cover all of requirements.

If this solution is applied to the real world at what point would you make the decision/ recommendation to move to seperate devices and not to just increase the horse power of the single (pair) ASA

Thanks,

SR

4 Replies 4

Hi SR,

For a small to medium network, one ASA can handle both roles (ASA 5520, 5510 even a 5505). The ASA is considered an all-in-one FW, so FW, IPS and VPN are supported features.

It is usual to see big networks with dedicated FW appliances (5580, 5540, 5500-X), but the reason for this is to have a more granular and scalable infrastructure. Also because these ASAs may have hundreds of tunnels, huge NAT tables, tons of FW rules and having all these running on one device is not a good idea.

Good information:

Firewall Design and Deployment

Case Studies

HTH.

Portu.

Please rate any helpful posts

The SMB.market I know is not willing to spend extra money to seperate the roles of firewalling and VPN and so they are most of the time combined. The typical reason there is a technical one: Some customers want to use the virtual firewalls (security-contexts) to have better managebility of different departments. And here no VPN is supported and has to be implemented as a seperate unit.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I agree with Karsten.

And in addition, the latest ASA 9.0 release now supports VPN in multiple context mode

New Features in Version 9.0

Look for: Multiple Context Mode Features

Thanks.

Portu.

I've just seen that. But only site-to-site is supported. And these are normally running on IOS-routers (at least for my customers ). So for RA we still have to use different boxes. But the ASA v9 has nice feastures introduced. Good to see that IPv6 got much attention on the new version.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: