Where to place a Cisco ASA 5505 in an existing network

Posted on 2009-04-21
Last Modified: 2012-08-14
We are currently happily running a SBS2003 server, servicing approx. 60 clients, with dual NICs and an ADSL router. All is working perfectly. We now have a client that wants us to connect 20+ of our users to their corporate network, to access their internal databases. They have a Cisco VPN concentrator and are asking us to install a Cisco ASA 5505 VPN device on our network to enable this VPN connection.

My first question is where (physically) do we need to place this device? I am assuming it should sit in between the external NIC of our server and our ADSL router. If we do this how will it a) affect all our users currentt access to the Internet etc. and b) know how to route requests to the clients network via the VPN?

The above infers that there will be follow up questions so be prepared to earn your points! :-)


Question by:midocean
    LVL 28

    Expert Comment

    Yes, it will need to be between the external NIC on the SBS server and the ADSL router.

    If the ASA is properly pre-configured, and you put it in service outside of normal business hours, I doubt your users will even notice.

    How many interfaces does the ASA have?  I would suggest three interfaces - One for the LAN, one for the DMZ/external NIC on server, and one for the ADSL router.

    Then the VPN terminates on the ASA, and gets routed via the LAN interface.  The server still connects to the Internet via the external NIC.

    Alternately, you can disable the external NIC on the SBS server, and have the ASA connect to the LAN.  This will make your ISA implementation obsolete, though, if you are using it.  You will no longer be able to configure Internet access based on user account.


    Author Comment

    Hi Asavener

    Thanks for the prompt reply. I have pre-configured the ASA with 2 interfaces, one for the LAN and one for the ADSL router. We are running SBS standard edition so ISA is not an issue, although we are using the dual NIC setup as a SBS basic firewall.

    I woud love to do this out of hours, unfortunately the client wants to attempt it tomorrow afternoon so we can involve AT&T here in the UK and in the States!

    Going down the route you suggest (if I understand it correctly) I would have one port (0) on the same subnet as the ADSL router, one port (1) on the same subnet as the SBS external NIC and one port (2) on the same subnet as the internal private IP subnet?

    I presume there is then some routing to setup on the ASA to allow all current traffic between ports 0 & 1?
    LVL 28

    Expert Comment

    I'm confused.  How many interfaces are on the ASA?

    Author Comment

    8 in total. Interface 0 normally reserved for WAN and the rest configurable.
    LVL 28

    Accepted Solution

    OK, my suggestion is this:

    Configure interface 0 as the outside (ADSL) interface.
    Configure interface 1 as the dmz (SBS2003 outside NIC) interface.
    Configure interface 2 as the inside (LAN) interface.


    Author Comment

    Thanks, I'll try that today and let you know how I get on.

    Author Closing Comment

    Thanks for your help. I ended up running the ASA in parallel with the SBS-to-Router connection and using DNS to pass requests to the client VPN via the ASA.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Suggested Solutions

    Title # Comments Views Activity
    what do you use to image computers in your Org 13 64
    Internet bottleneck? 11 48
    Cisco ACS TACACS 2 19
    ASA Shunning internal IP 10 11
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now