01-11-2009 03:24 AM
Hi! I have read many documents about network design on SRND site, but I haven't read about ASA VPN design.
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/IPSec_Over.html - all VPN terminates on routers
http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html - VPN terminates on routers, ASA are just firewall.
What is a right network design if I want to terminate VPN on ASA?
01-11-2009 11:36 AM
Think of VPN design discribed in your great links as a concept/guideline that can also be applied to ASA5500 appliences
in your infrastructure internet EDGE-parameter when using VPN technologies.
There are very common design examples in this link for ASA appiences
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
L2TP over IPSec
Remote Access VPN
Easy VPN
SSL VPN/Web VPN
Site to Site VPN (L2L) with ASA
Site to Site VPN (L2L) with IOS
Site to Site VPN (L2L) with VPN3000
VPN with Non-Cisco Devices
Regards
01-11-2009 01:32 PM
We have our ASA's in vpn load balanced design, parallel to our firewall terminating SSL VPN sessions with an RSA Authentication server providing user authentication via RADIUS.
All the VPN clients get their own IP address from a pool configured on the ASA and then we use ACL's to permit access from the vpn net to the inside nets. We can granularly control access if we so desire.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide