Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
0
Helpful
2
Replies

Cisco ASA Design Question

smk391
Level 1
Level 1

‎05-22-2019 02:46 AM

Hi, 

 

I have a general question about the design best practices of implementing a Cisco ASA VPN. 

 

The half built current setup is : 

3rd party Internet Router ->  Internet Edge Router - > ASA -> Internal Switch 

What I am finding confusing is that the external IP address for remote access VPNs is on the inside of the ASA, so 

 

   Private address peering with the Internet Edge Router -[ ASA ]- External IP address peering with the Internal switch 

 

I wanted to reach out for some help with the design aspect,  so the traffic is routed through the ASA and the VPN is terminated on the internal switch  connected to the ASA , does this sound correct?  

Is the reason for doing this so we can do AD authentication ?  

 

Any design or best practice suggestions would be great.  

 

 

 

Labels:
0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-23-2019 09:48 AM

I wanted to reach out for some help with the design aspect, so the traffic is routed through the ASA and the VPN is terminated on the internal switch connected to the ASA , does this sound correct?

Not if you are trying to setup an ASA vpn. You could use the ASA as the VPN concentrator and have the outside interface be the head-end. Your issue is that you are using private ip addressing, which means you will need to NAT somewhere in the path. Also, you will want to ensure that you have NAT-traversal implemented. See here for more details: https://community.cisco.com/t5/security-documents/how-does-nat-t-work-with-ipsec/ta-p/3119442
You also need to consider if you are going to use client or clientless vpn solution.

Is the reason for doing this so we can do AD authentication ?
You can accomplish this. You can also do CAC authentication, utilize integration with a AAA server. IMO this all will be decided by your requirements.

HTH!
0 Helpful

smk391
Level 1
Level 1
In response to Mike.Cifelli

‎05-23-2019 11:53 AM

Hi, thanks for the information. The public IP is on the inside and peering with a internal switch which also has a public IP. I wanted to try to understand why.

We will be using client VPN, so anyconnect preinstalled on laptops.

No nat configuration

Thanks
0 Helpful
Customers Also Viewed These Support Documents