03-07-2011 09:55 PM
Hi all;
I have been assigned to commission a Cisco ASA5510 for Site to Site VPN across to Miami office
From my understanding the ASA VPN headend must be WAN facing; meaning which a public IP is needed.
Hope someone can advise if my ASA placement is correct & of best practise
If i were to put the ASA on WAN facing before the Packeteer; how does my site2site vpn works
Overall objective is to have Remote Lan(Miami) communicates with Server LAN vice versa
Please advise
03-07-2011 11:33 PM
I have a question about this design. What role does the Packetshaper perform?
Does it need to communicate with other Packetshapers across your WAN? Does it perform any sort of WAN optimization services?
Are you sure you want three different vendor firewalls in the network? As an alternative could you retire the Proventia and replace it with the ASA?
I'm not a Proventia expert but do you have any other public IPs available and a spare interface on the Proventia where you could install the ASA?
03-08-2011 07:49 AM
Hi
I would agree that you would have to put the ASA at the point you are showing in your drawing.
Any other place and you would loose the shaping that the paketeer does (I asume here that the paketeer does traffic shaping).
If you where to install the ASA on the other side of the packeteer device you would only have ipsec encrypted traffic passing through it and it would be of no use.
There is a question or a statement here that i do not understand or rather, I am aftaid that I do not understand.
"From my understanding the ASA VPN headend must be WAN facing; meaning which a public IP is needed."
What do you mean with headend ?
AFAIK You can terminate ipsec in any of the interfaces at the same time if that is what you are looking for.
so you can have one tunnel going to int eth0/0 another to eth0/1 and a third to 0/2.
Good luck
HTH
Hobbe
03-08-2011 09:42 AM
Hi there thanks for ur reply.
Sorry for my understatement; when I mention VPN headend WAN facing. I mean that the ASA outside interface has to be on a public ip address inorder for VpN remote site to dial in to. Am I in the right track?
Lets say If I were to put the ASA behind a 1st tier firewall; thus my ASA VPN would not work? Reason being-no public ip to dial in
Sent from Cisco Technical Support iPhone App
03-09-2011 10:48 PM
Hi sorry for the late answer
YES, NO and not at all.
Always nice with a strait answer .
The 3000 concentrator was recomended to build behind a firewall on a dmz, the reason for this was that the 3000 concentrator was a vpn device not a firewall. as a vpn device not a firewall it was not secure enough to recomend be placed outside of the firewall where people could attack it.
Since the ASA is a firewall and is deemed secure enough to place outside on the wild wild west that is on the internet there is no reason to hide it behind another firewall.
There is nothing stating that you can not use any ip v4 address at you choosing. including any rfc 1918 address.
However that said.
The ipsec pakets between the firewalls needs to be able to reach eachother unaltered. otherwise the packet will be dropped.
That is one reason why we have ipsec encapsulated inside a "udp" and tcp packet stream.
If the WAN link is only the link between your offices and everything that goes over that link needs to be encrypted (as per the drawing) then you can place the firewall where you have marked it on the drawing and it will do the job you have asked for.
If your WAN link is also your INTERNET link then if I where you I would redesign the network.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide