Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
3
Replies

Most secure VPN setup

jasonrothwell
Level 1
Level 1

‎05-27-2013 10:32 AM

I have an ASA 5505 that I would like to use only as a VPN access device into my network. I am looking for the most secure setup.

Currently I have a router with 4 networks/subnets: DMZ, public, protected, perimeter. DMZ is public DNS and web, no access to any other subnets, only 80 and 53 from public. Perimeter is an edge email server, only port 25 allowed to the email server on the protected subnet. Protected is all internal servers and workstatoins, no access from any other subnet and limited access out to public.

Where would I place the VPN device?

Labels:
0 Helpful
3 Replies 3

Javier Portuguez
Level 9
Level 9

‎05-27-2013 04:42 PM

Hi Jason,

How much traffic flows across the Router during normal operations?

The ASA 5505 is designed for small-business solutions, so I would not consider it an ideal platform for a high rate traffic link.

Where do you plan to connect the ASA? To the public interface of the Router?

Let me know,

Thanks.

0 Helpful

jasonrothwell
Level 1
Level 1
In response to Javier Portuguez

‎05-27-2013 06:01 PM

Thanks for your reply.

There is not much traffic flowing across the router and the VPN will only be used by a few users.

I am not sure where I would connect the ASA to the router. I am looking to set this up in a way that maintains network security. I have a modem with several public IPs (a few available) that connects to the router. The router has an interface for each network/subnet that connects to a switch where each network/subnet is in it's own VLAN. The firewall in the router controlls access between each network.

0 Helpful

Karsten Iwen
VIP
VIP

‎05-28-2013 09:28 AM

The more intesting question is why you wan't to use a router for your security-policy-enforcement while the ASA which is a dedicated firewall is only used for VPNs? More logically would be to place the firewalling and VPN on the ASA and use the router only for connectivity to the WAN.

Of course you can integrate your ASA as VPN-device into your environment where different designs are available.

Three typical designs are the following:

1) The VPN device has one interface on the public network and one interface in a DMZ. With that design the VPN-device is unprotected on the internet and the user-traffic can be filtered on the firewalling-device when traffic flows from the DMZ to the internal networks.

2) The VPN device is connected into two different DMZ: The public DMZ only allows the VPN-traffic to your VPN-device (that could be IPSec or SSL/TLS) and the private DMZ controls which user-traffic is allowed into your network. That's the approach I preferred some time ago with the c3000 concentrator where a firewall protects the concentrator against attacks. In your setup this is not needed as the ASA is probaly better protected by itself than alll your router can achieve.

3) The third design is a VPN-device that is connected with onl one interface to a DMZ. There the firewall controls which traffic is allowed to reach the VPN-device and the user-traffic leaves the VPN-device on the same interface and is controled on the firewall for inside connections.

If you want to keep your existing design with the DMZs on the router and using the ASA only for VPN, I would tend to option 1) or 3).


Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents