I wanted to run this by the experts:
I am planning to attempt the following configuration, and have a couple of questions that I would much appreciate feedback on.
Currently we have a simple one subnet network with no internal router, with the ASA just being our endpoint on the network. The ASA also acts as our VPN Concentrator, giving VPN addresses out on a different subnet that allows communication with the corporate subnet as well. The goal is to have a Cisco ASA 5510 as the endpoint on my network connected to my ISP, and then have an internal Cisco router connected to my ASA for routing VLANS inside of my network.
Here is how I would see to do it:
External Interface: (external IP address provided by ISP)
Internal Interface: (10.1.1.254)
Default route for outside access to ISP
Static routes setup for internal subnets behind router, all pointing back to IP address of router interface connected to ASA.
Default Route pointing back to the Cisco ASA internal interface
Internal interface setup for trunking to HP Switch
Logical Interfaces on router for each internal subnet
Access lists to allow logical interfaces communication between themselves (intra-vlan routing)
HP Switch would be configured with trunking to Cisco Router, and tagged with approriate VLANs
Workstations would be connected to HP switch and have an IP address on their appropriate subnet based on VLAN membership
Now the questions:
1) Based on this configuration, and based on the face I am using static NAT rules now on my ASA, my assumption is that the ASA will know based on my static routes that it needs to send it's NAT rules through my static route (to their destination behind the router) for communication. Am I right?
2) I need the ASA to be able to act as VPN concentrator for my network. The VPN users will need to have an address that can communicate with all of the internal subnets. I know currently (with my ASA as the only device on my network, no internal router) I can create VPN groups for this and allow access to certain subnets, but would this be as simple as having the VPN users have a gateway address of the IP address of the internal router interface connected to the ASA in order to be able to communicate with machines behind the router? My greatest concern is how to make sure that VPN users can communicate with all the machines behind the internal router.