11-01-2012 08:38 AM
Hi,
Just a quick query really, I've installed a fair few ASA's over the years, but mainly for small to medium businesses as both a firewall and VPN concentrator, which in general I would have assumed to be the norm.
I'm currently reading through the CCNP Security VPN cert guide and it states that "the most popular design is to place the VPN appliance into it's own DMZ, allowing for greater scale and ease of management" which is fair enough.
I was assuming this to just be a logical demarcation on the same physical appliance, but it then goes on to say "if you are designing the topology for a small to medium business network, you have the possibility of collapsing the two roles into the same physical device" which would lead me to think that the recommendation would be to purchase two ASAs one as dedicated VPN Concentrator and another as a Firewall.
My question is two fold perhaps separating real world from academic. Has anyone/does anyone implement this solution with ASAs? especially if one device will technically cover all of requirements.
If this solution is applied to the real world at what point would you make the decision/ recommendation to move to seperate devices and not to just increase the horse power of the single (pair) ASA
Thanks,
SR
11-01-2012 09:22 AM
Hi SR,
For a small to medium network, one ASA can handle both roles (ASA 5520, 5510 even a 5505). The ASA is considered an all-in-one FW, so FW, IPS and VPN are supported features.
It is usual to see big networks with dedicated FW appliances (5580, 5540, 5500-X), but the reason for this is to have a more granular and scalable infrastructure. Also because these ASAs may have hundreds of tunnels, huge NAT tables, tons of FW rules and having all these running on one device is not a good idea.
Good information:
Firewall Design and Deployment
HTH.
Portu.
Please rate any helpful posts
11-01-2012 09:33 AM
The SMB.market I know is not willing to spend extra money to seperate the roles of firewalling and VPN and so they are most of the time combined. The typical reason there is a technical one: Some customers want to use the virtual firewalls (security-contexts) to have better managebility of different departments. And here no VPN is supported and has to be implemented as a seperate unit.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-01-2012 09:37 AM
I agree with Karsten.
And in addition, the latest ASA 9.0 release now supports VPN in multiple context mode
Look for: Multiple Context Mode Features
Thanks.
Portu.
11-01-2012 10:02 AM
I've just seen that. But only site-to-site is supported. And these are normally running on IOS-routers (at least for my customers ). So for RA we still have to use different boxes. But the ASA v9 has nice feastures introduced. Good to see that IPv6 got much attention on the new version.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide