Where to place a Cisco ASA 5505 in an existing network
We are currently happily running a SBS2003 server, servicing approx. 60 clients, with dual NICs and an ADSL router. All is working perfectly. We now have a client that wants us to connect 20+ of our users to their corporate network, to access their internal databases. They have a Cisco VPN concentrator and are asking us to install a Cisco ASA 5505 VPN device on our network to enable this VPN connection.
My first question is where (physically) do we need to place this device? I am assuming it should sit in between the external NIC of our server and our ADSL router. If we do this how will it a) affect all our users currentt access to the Internet etc. and b) know how to route requests to the clients network via the VPN?
The above infers that there will be follow up questions so be prepared to earn your points! :-)
Cheers
Dave
My first question is where (physically) do we need to place this device? I am assuming it should sit in between the external NIC of our server and our ADSL router. If we do this how will it a) affect all our users currentt access to the Internet etc. and b) know how to route requests to the clients network via the VPN?
The above infers that there will be follow up questions so be prepared to earn your points! :-)
Cheers
Dave
ASKER
Hi Asavener
Thanks for the prompt reply. I have pre-configured the ASA with 2 interfaces, one for the LAN and one for the ADSL router. We are running SBS standard edition so ISA is not an issue, although we are using the dual NIC setup as a SBS basic firewall.
I woud love to do this out of hours, unfortunately the client wants to attempt it tomorrow afternoon so we can involve AT&T here in the UK and in the States!
Going down the route you suggest (if I understand it correctly) I would have one port (0) on the same subnet as the ADSL router, one port (1) on the same subnet as the SBS external NIC and one port (2) on the same subnet as the internal private IP subnet?
I presume there is then some routing to setup on the ASA to allow all current traffic between ports 0 & 1?
Thanks for the prompt reply. I have pre-configured the ASA with 2 interfaces, one for the LAN and one for the ADSL router. We are running SBS standard edition so ISA is not an issue, although we are using the dual NIC setup as a SBS basic firewall.
I woud love to do this out of hours, unfortunately the client wants to attempt it tomorrow afternoon so we can involve AT&T here in the UK and in the States!
Going down the route you suggest (if I understand it correctly) I would have one port (0) on the same subnet as the ADSL router, one port (1) on the same subnet as the SBS external NIC and one port (2) on the same subnet as the internal private IP subnet?
I presume there is then some routing to setup on the ASA to allow all current traffic between ports 0 & 1?
I'm confused. How many interfaces are on the ASA?
ASKER
8 in total. Interface 0 normally reserved for WAN and the rest configurable.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I'll try that today and let you know how I get on.
ASKER
Thanks for your help. I ended up running the ASA in parallel with the SBS-to-Router connection and using DNS to pass requests to the client VPN via the ASA.
If the ASA is properly pre-configured, and you put it in service outside of normal business hours, I doubt your users will even notice.
How many interfaces does the ASA have? I would suggest three interfaces - One for the LAN, one for the DMZ/external NIC on server, and one for the ADSL router.
Then the VPN terminates on the ASA, and gets routed via the LAN interface. The server still connects to the Internet via the external NIC.
Alternately, you can disable the external NIC on the SBS server, and have the ASA connect to the LAN. This will make your ISA implementation obsolete, though, if you are using it. You will no longer be able to configure Internet access based on user account.