need a VPN design

cisco.bml · ‎04-04-2011

i need to design a site-to-site VPN and VPN for remote users. I have attach a drawing, need to know if this is good setup. Mostly my concern is security.

Im using ASA5520 for edge firewall and Linux firewalls are for additional security.I have to create 5 site-to-site VPN using IPSEC and 5 remote VPN clients. Site-to-site VPN are for trusted Office and remote VPN clients are only for our staff use.

From the diagram ASA5520 is configured as followed

outside interface is set to security 0 and connected to boder router to internet

inside interface is set to security 100 which is connected to a linux firewall which then goes to our internal lan.

DMZ interface is set to security 50 which is connected to DMZ segment

I decided to use the 4th interface for all VPNs which is set to security 100, and for this 4th interface i have created two sub interfaces vlan 400 (for site-tosite VPN) and vlan 500 (for remote access VPN). I did this because i have to use two separate linux firewall box.

Linux firewall box for Site to Site VPN is configured with NAT but Linux firewall box for remote access VPN users are configured without NAT.

I also want to know do i need to create a CA server or can i use pre-shared key with XAuth for remote access VPN users?

sean_evershed · ‎04-04-2011

Hi,

I'm assuming that all your VPN tunnels are being terminated on the ASA?

If so I suggest that you simplify your network. Reduce the number of Linux firewalls down from three to one.

You can have a firewall sandwich design, ie an outer firewall which is your ASA and then an internal firewall which is one of the Linux boxes.

Personally I don't really see the need for separate firewalls for the different types of VPN traffic.

If you run Active Directory in your company and you are using a Cisco VPN client then you can also authenticate your remote servers against your domain controller.

Please remember to rate all posts that are helpful.