05-27-2013 10:32 AM
I have an ASA 5505 that I would like to use only as a VPN access device into my network. I am looking for the most secure setup.
Currently I have a router with 4 networks/subnets: DMZ, public, protected, perimeter. DMZ is public DNS and web, no access to any other subnets, only 80 and 53 from public. Perimeter is an edge email server, only port 25 allowed to the email server on the protected subnet. Protected is all internal servers and workstatoins, no access from any other subnet and limited access out to public.
Where would I place the VPN device?
05-27-2013 04:42 PM
Hi Jason,
How much traffic flows across the Router during normal operations?
The ASA 5505 is designed for small-business solutions, so I would not consider it an ideal platform for a high rate traffic link.
Where do you plan to connect the ASA? To the public interface of the Router?
Let me know,
Thanks.
05-27-2013 06:01 PM
Thanks for your reply.
There is not much traffic flowing across the router and the VPN will only be used by a few users.
I am not sure where I would connect the ASA to the router. I am looking to set this up in a way that maintains network security. I have a modem with several public IPs (a few available) that connects to the router. The router has an interface for each network/subnet that connects to a switch where each network/subnet is in it's own VLAN. The firewall in the router controlls access between each network.
05-28-2013 09:28 AM
The more intesting question is why you wan't to use a router for your security-policy-enforcement while the ASA which is a dedicated firewall is only used for VPNs? More logically would be to place the firewalling and VPN on the ASA and use the router only for connectivity to the WAN.
Of course you can integrate your ASA as VPN-device into your environment where different designs are available.
Three typical designs are the following:
1) The VPN device has one interface on the public network and one interface in a DMZ. With that design the VPN-device is unprotected on the internet and the user-traffic can be filtered on the firewalling-device when traffic flows from the DMZ to the internal networks.
2) The VPN device is connected into two different DMZ: The public DMZ only allows the VPN-traffic to your VPN-device (that could be IPSec or SSL/TLS) and the private DMZ controls which user-traffic is allowed into your network. That's the approach I preferred some time ago with the c3000 concentrator where a firewall protects the concentrator against attacks. In your setup this is not needed as the ASA is probaly better protected by itself than alll your router can achieve.
3) The third design is a VPN-device that is connected with onl one interface to a DMZ. There the firewall controls which traffic is allowed to reach the VPN-device and the user-traffic leaves the VPN-device on the same interface and is controled on the firewall for inside connections.
If you want to keep your existing design with the DMZs on the router and using the ASA only for VPN, I would tend to option 1) or 3).
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide