Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3455
Views
0
Helpful
3
Replies

Cisco ASA - Inside Interface

Ricardo Newman
Level 1
Level 1

‎03-05-2014 08:26 AM

There seems to be a lot of talk about setting up the cisco ASA with inside & outside interface. What if the the outside network of your infrastructure is already being manage by another firewall/router, then there is no need for an outside interface.

I would like to config the ASA with just an internal interface connecting to my internal network. External traffic coming into my ASA for SSL VPN/IPsec Remote Access will be routed via the existing network in place. The only other interface that will be used are for HA stateful/Failover.

Is there any issue with this concept? I am replacing a Juniper SA 4500 with ASA 5540 which only uses 1 interface (internal)

Your responses would be much appreciated.

Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎03-05-2014 09:13 AM

Hello Ricardo,

This is not an easy one, since we do not have / handle all the details about your network infrastucture.

Nevertheless, let me share my thoughts:

The ASA is supposed to be an inband device, where it has an inside and outside interface. The reason behind this is to protect your assets, since by default, any connection originated from the outside to the inside is not allowed, only from inside-outside. So, what you can do is to connect the "outside" interface of the ASA to the Firewall/Router you mentioned above and the "inside" interface to the local network.

So VPN connections will be landed on the outside interface and the protected networks will be connected to the inside, only reachable through a VPN connection. Let's keep in mind that traffic from outside-inside from a established VPN connection is allowed by default "sysopt connection permit-vpn".

HTH.

- Javier

0 Helpful

Ricardo Newman
Level 1
Level 1
In response to Javier Portuguez

‎03-05-2014 10:18 AM

Javier,

Thanks for your prompt response.

Your right and this was my inital plan but i also I wanted to keep the exiting setup as the Juniper SA with just one interface (inside or outside) which is connecting to a switch which connects to a Firewall. A second interface (inside or outside) would be useless (possible) because as traffic comes in from the the outside it goes through the firewall-DMZ>routes to Juniper SA via switch L3 Vlan, routes back out the same interface to the Firewall-DMZ to the internal network. (Hope that makes sense, I am unable to provide any config as this is a classified network)

The question I really wanted answering is whether this setup would be possible (even though its not the recommended design) and if there would be any configuration issues.

Thanks in advance.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Ricardo Newman

‎03-05-2014 10:39 AM

Ricardo,

It should work, just make sure to add the rules to allow communication between the networks connected to the same interface of the ASA.

The concept of an inside and outside interface is a common design, but in the end, it really depends on your network infrastructure,

HTH.

Message was edited by: Javier Portuguez

0 Helpful
Customers Also Viewed These Support Documents