Re: Basic Question regarding the need for VPN..ASA 5505??

BornFree22 · ‎04-05-2011

HI,

Sorry for the basic question but I am wondering if this Cisco ASA 5505 Box is overkill for what I need?

I have just become network admin to a small office that host two domains.

One ISP is split over these two DC's and in total there is only approx 25users.

They currently have Comcast Router, plugged into a "linksys/cisco" wireless router (like you would have at home) and that plugs into two switches, One 3com unmanaged, and one Cisco unmanaged switch.

Every pc is setup as static (although i would like to use DHCP at some point in the future, but maybe not)

Some of the clients are requesting a connection to the office from remote locations for file access and what not. So would implementing a Cisco ASA 5505 be overkill? I am a bit nervous of going forward as I have never had to "setup" an ASA box and dont want to kill the network.

If I should NOT use this box, what should I use for a VPN connection? and yes buying a Cisco Switch and Router is an option if need be. Thanks

Richard Burts · ‎04-05-2011

Born Free

Whether you need the ASA 5505 is an interesting question - but I am not sure that we have enough information about your situation and your requirements to give you really good answers.

Let me start from the explanation that the ASA5505 has 2 significant capabilities. One capability is to be a firewall. the other capability is to be a VPN concentrator. You can choose to use one capability, or the other capability, or to use both capabilities.

From what you tell us in the original post I am not sure that you need the firewall capability. But you need to decide whether this is the case or not. From what you tell us in the original post it is fairly clear that you do need the capability to act as a VPN concentrator.

So let me concentrate on the function as a VPN concentrator. I would start by saying that I believe that the ASA5505 is a good choice as a VPN concentrator. I believe that the ASA is a better choice as a concentrator for Remote Access VPN than would be a Cisco router or switch. But there are some challenges in setting up a concentrator for VPN. The first challenge is that the concentrator needs a public IP address (or it needs the device that provides Internet connectivity to have a static translation for the address of the concentrator). The reason for this is simple - for a user at some remote location to initiate a VPN connection then the address of the concentrator needs to be accessible from the remote location. It is the same issue that you would face if you wanted to host a web server in your network that would be visible from the Internet.

Given your description that the current environment has a Comcast router plugged into a Linksys/cisco router I am guessing that there is not an available public IP address. If you think that you can get this worked out then we can talk about how to set up the ASA5505 as only a VPN concentrator. Otherwise it may be that the ASA5505 is overkill for your current situation.

HTH

Rick

HTH

Rick

BornFree22 · ‎04-06-2011

Richard, I cant thank you enough for helping me..

Although the setup is currently utilizing a comcast router plugged directly into a linksys wireless router I do have a Static Public IP address, as this is how I currenly "remote" into the Servers to do some administration work when needed.

In the end I would like to get rid of the two unmanaged switches and also the linksys wireless router and just use one cisco switch with 48ports to basically combine the two unmanaged switches into one managed switch.

Jumping on board someone else network is not easy, or fun. So knowing that I do have a static public IP address, what would you recommend I do? also will the machines that i setup to connect to the VPN need to be machines that are "on my domain" or can I basically setup one of the owners wifes desktop to just be able to VPN in and do some work? hope thats not too confusing. and again thank you

BornFree22 · ‎04-07-2011

/bump

Richard Burts · ‎04-07-2011

Born Free

It is interesting that you have a static IP address. Is is a single IP address that you have or is there a block of addresses assigned to you?

With a static IP address it should be workable to put an ASA as the connection to the Comcast. Then you could use the ASA to provide Remote Access VPN.

It certainly should be possible to replace the 2 unmanaged switches with a single Cisco switch with enough ports to support your users.

It should not matter whether the machines that would be accessed from your Remote Access VPN are in your domain or not. As long as they have IP address that is in the subnet accessed through the ASA.

HTH

Rick

HTH

Rick

BornFree22 · ‎04-07-2011

Thank Rick,

as far as I know it is ONE static IP address for the comcast router..

When the remote user "connects" what is it they should have access to? the basic 'shared" files and folders currently living on the server?

Thanks

I have recieved my CCENT (INCD1) cert. I'm studying for ICND2 now and hope this will be a solid enough foundation to implement something like this ASA box?

Richard Burts · ‎04-07-2011

One static IP address would be enough to use the ASA as the connection to Comcast for the Internet and to support Remote Access VPN on the ASA.

There are options you can configure as part of Remote Access VPN that can restrict what a user has access to. But by default a user who establishes a Remote Access VPN session will have access to all the network resources in your network that they would have from a PC connected in that network.

Congratulations on CCENT and best wishes for the ICND2>

HTH

Rick

HTH

Rick