Where to place a Cisco ASA 5505 in an existing network

We are currently happily running a SBS2003 server, servicing approx. 60 clients, with dual NICs and an ADSL router. All is working perfectly. We now have a client that wants us to connect 20+ of our users to their corporate network, to access their internal databases. They have a Cisco VPN concentrator and are asking us to install a Cisco ASA 5505 VPN device on our network to enable this VPN connection.

My first question is where (physically) do we need to place this device? I am assuming it should sit in between the external NIC of our server and our ADSL router. If we do this how will it a) affect all our users currentt access to the Internet etc. and b) know how to route requests to the clients network via the VPN?

The above infers that there will be follow up questions so be prepared to earn your points! :-)


Who is Participating?
OK, my suggestion is this:

Configure interface 0 as the outside (ADSL) interface.
Configure interface 1 as the dmz (SBS2003 outside NIC) interface.
Configure interface 2 as the inside (LAN) interface.

Yes, it will need to be between the external NIC on the SBS server and the ADSL router.

If the ASA is properly pre-configured, and you put it in service outside of normal business hours, I doubt your users will even notice.

How many interfaces does the ASA have?  I would suggest three interfaces - One for the LAN, one for the DMZ/external NIC on server, and one for the ADSL router.

Then the VPN terminates on the ASA, and gets routed via the LAN interface.  The server still connects to the Internet via the external NIC.

Alternately, you can disable the external NIC on the SBS server, and have the ASA connect to the LAN.  This will make your ISA implementation obsolete, though, if you are using it.  You will no longer be able to configure Internet access based on user account.

midoceanAuthor Commented:
Hi Asavener

Thanks for the prompt reply. I have pre-configured the ASA with 2 interfaces, one for the LAN and one for the ADSL router. We are running SBS standard edition so ISA is not an issue, although we are using the dual NIC setup as a SBS basic firewall.

I woud love to do this out of hours, unfortunately the client wants to attempt it tomorrow afternoon so we can involve AT&T here in the UK and in the States!

Going down the route you suggest (if I understand it correctly) I would have one port (0) on the same subnet as the ADSL router, one port (1) on the same subnet as the SBS external NIC and one port (2) on the same subnet as the internal private IP subnet?

I presume there is then some routing to setup on the ASA to allow all current traffic between ports 0 & 1?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I'm confused.  How many interfaces are on the ASA?
midoceanAuthor Commented:
8 in total. Interface 0 normally reserved for WAN and the rest configurable.
midoceanAuthor Commented:
Thanks, I'll try that today and let you know how I get on.
midoceanAuthor Commented:
Thanks for your help. I ended up running the ASA in parallel with the SBS-to-Router connection and using DNS to pass requests to the client VPN via the ASA.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.