VPN - ASA5510 placement

J_Vansen_S · ‎03-07-2011

Hi all;

I have been assigned to commission a Cisco ASA5510 for Site to Site VPN across to Miami office

From my understanding the ASA VPN headend must be WAN facing; meaning which a public IP is needed.

Hope someone can advise if my ASA placement is correct & of best practise

If i were to put the ASA on WAN facing before the Packeteer; how does my site2site vpn works

As there will be public ip on both my inside and outside interface.
Obviously there's NAT configured on the Proventia FW

Overall objective is to have Remote Lan(Miami) communicates with Server LAN vice versa

Please advise

sean_evershed · ‎03-07-2011

I have a question about this design. What role does the Packetshaper perform?

Does it need to communicate with other Packetshapers across your WAN? Does it perform any sort of WAN optimization services?

Are you sure you want three different vendor firewalls in the network? As an alternative could you retire the Proventia and replace it with the ASA?

I'm not a Proventia expert but do you have any other public IPs available and a spare interface on the Proventia where you could install the ASA?

hobbe · ‎03-08-2011

Hi

I would agree that you would have to put the ASA at the point you are showing in your drawing.

Any other place and you would loose the shaping that the paketeer does (I asume here that the paketeer does traffic shaping).

If you where to install the ASA on the other side of the packeteer device you would only have ipsec encrypted traffic passing through it and it would be of no use.

There is a question or a statement here that i do not understand or rather, I am aftaid that I do not understand.

"From my understanding the ASA VPN headend must be WAN facing; meaning which a public IP is needed."

What do you mean with headend ?

AFAIK You can terminate ipsec in any of the interfaces at the same time if that is what you are looking for.

so you can have one tunnel going to int eth0/0 another to eth0/1 and a third to 0/2.

Good luck

HTH

Hobbe

J_Vansen_S · ‎03-08-2011

Hi there thanks for ur reply.

Sorry for my understatement; when I mention VPN headend WAN facing. I mean that the ASA outside interface has to be on a public ip address inorder for VpN remote site to dial in to. Am I in the right track?

Lets say If I were to put the ASA behind a 1st tier firewall; thus my ASA VPN would not work? Reason being-no public ip to dial in

Sent from Cisco Technical Support iPhone App

hobbe · ‎03-09-2011

Hi sorry for the late answer

YES, NO and not at all.

Always nice with a strait answer .

The 3000 concentrator was recomended to build behind a firewall on a dmz, the reason for this was that the 3000 concentrator was a vpn device not a firewall. as a vpn device not a firewall it was not secure enough to recomend be placed outside of the firewall where people could attack it.

Since the ASA is a firewall and is deemed secure enough to place outside on the wild wild west that is on the internet there is no reason to hide it behind another firewall.

There is nothing stating that you can not use any ip v4 address at you choosing. including any rfc 1918 address.

However that said.

The ipsec pakets between the firewalls needs to be able to reach eachother unaltered. otherwise the packet will be dropped.

That is one reason why we have ipsec encapsulated inside a "udp" and tcp packet stream.

If the WAN link is only the link between your offices and everything that goes over that link needs to be encrypted (as per the drawing) then you can place the firewall where you have marked it on the drawing and it will do the job you have asked for.

If your WAN link is also your INTERNET link then if I where you I would redesign the network.

Maybe move the packetshaper to the inside of the proventia firewall and then set the ASA beside the proventia on the same outside network ?

it all depends on what you want to do. maybe do away with the proventia and replace it with the asa ? or let the proventia handle all the vpn traffic also and do away with the asa.

I do not know the proventia firewall so I do not know if it is a good or a bad one.

However having a non uniform configuration when it comes to the equipent will cost you money and time to keep the knowledge of how to configure the devices aswell as actually managing them.

Good luck

HTH