Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
2
Replies

VPN IPSec residing on Inside Firewall - traverse outside firewall?

Jonny Rees-Williams
Level 1
Level 1

‎05-28-2015 09:15 AM - edited ‎02-21-2020 08:15 PM

Hello everyone I hope that you are able to help me. 

We currently have two HA ASA5505's that protect our business and we have many VPN's (200 plus) running on said firewalls.

We have purchased two ASA5525x's to become our new outside devices but our existing Firewalls will remain inplace but they will become our inside devices. 

I think i know the answer to this but my question is do I need to move each VPN to the new outside firewalls or can I leave them on the inside firewalls and route through the outside firewall?

I believe I am facing an administrative nightmare. I am thinking it is going to be trouble because our current outside interface on our existing firewall will become an inside interface once we install the new firewalls taking the public address to the outside interface on the new firewalls. Could you NAT to the public address from the inside to the outside?

Fingers crossed and thank you in advance for any guidance. 

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎05-28-2015 02:39 PM

Yes, you can terminate the VPNs on the inside firewall, but the VPN-config on the actual firewall (BTW: 200plus on a 5505? Probably a different model) is pretty much the same to your new device. It's very likely that you can copy and paste the VPN-config without or with minor modifications to your new device.

If you still want to go for the internal VPN-gateway it's also not that hard:

  1. Do a static translation of the old VPN-address to the outside IP of the internal firewall. The new public firewall should get a different public IP for that.
  2. For IPSec, allow UDP/500 and UDP/4500 to the internal gateway.
  3. Make sure that NAT-traversal is not diabled on the VPN-ASA and the VPN-peers.
0 Helpful

Jonny Rees-Williams
Level 1
Level 1
In response to Karsten Iwen

‎05-29-2015 01:07 AM

Thank you for your reply and you are dead right we have ASA5520's at the moment. Apologies. 

Thank you for your input. I would prefer the VPN's to move on to the Outside firewall it was just looking at the task at hand was quite daunting. 

 

Appreciate your time. Have a good day.

0 Helpful
Customers Also Viewed These Support Documents