Showing results for 
Search instead for 
Did you mean: 

Using asa only for terminating VPNs beside VMware edge gw

Level 1
Level 1

Hi all,

Question Nr 1:

We have a edge gw configured for a customer which they are using for there office traffic to VDC at remote location through P2P.

office >>>>>>>>>>>>>>>remote location ::edge gw::: internal servers in data center.

Now they want to have 200 VPNs for their customers. I suggest them to have a ASA physical firewall for termination of all these VPNs.

The VPN connection speed really doesnt matter. 

They want their office traffic to be separate from customer traffice via having two different firewalls. i told him to have one single fw and the separation can be done through new physical asa firewall. ?? right . i need your suggestion here.

Question Nr 2:

 If we want the new firewall beside the old one how this VPN termination will take place. do i need separate external IP on new ASA firewall and link inside to VDC server. ?? or ????

as I understand they want their VPN traffic goes through a separate firewall so that their performance of edge gw for their office dont be distrub at all.

 your suggestion are welcome.

thanks in advance


5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

There are some things about what you describe that are not clear. You say that they want 200 VPN but do not make clear whether this is 200 site to site VPN tunnels or is 200 Remote Access VPN. Can you clarify?

One of the questions to resolve would be whether to have the new VPN use the existing Internet connection or to have the new VPN use a new and separate Internet connection. If they are serious about the requirement that office traffic and Customer traffic to be separate so that Customer VPN traffic does not have any impact on Office traffic then it is clear that you need a new Internet connection for the VPN. When you answer this question then that will determine whether you need a separate firewall and whether you need a separate external IP for the new ASA.





Hi Richard,

I am sorry for not so clear in my text. 

Its SITE to SITE VPNs = 200 + in total.

As ISP we have the possibility to make a new internet connection for them and than use that connection for the termination of Site to Site VPNs. 

But remember that the inside server in VDC will be same for both office and customer traffic.

Its like same inside resource accessed by the office employees and public customers. 

The design can look like :

ASA firewall                    edge gw

Customers                     office

   >          FW INSIDE       <

      >                              <

         >                         <

                 Server 1

Thanks for the additional information. It is helpful to know that it is 200 site to site vpn. Especially knowing this I would advise that you implement a separate Internet connection with its own public IP address and use this to terminate the site to site vpn. We do not know what kind of device is the current gateway, but the processing load of terminating 200 site to site vpn would have impact on almost any kind of gateway device.

I agree with your point that since the 200 site to site vpn will be accessing the same resources as the office traffic that there may be some impact on performance. That is a given that they need to be prepared for (and might want to consider adding some resources to mitigate the impact).

But as far as the external connection is concerned it should be an easy decision to have a separate firewall (ASA) to terminate the site to site vpn. The design that you suggest with an inside firewall handling traffic from both the existing gateway and the new ASA would be an appropriate design.





Thank you for your time and help. 

i will soon start to implement this design and share some thoughts from the customers.

Best Regards



Please do let us know as you progress with this implementation and share thoughts with us about it.