Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Where to place a Cisco ASA 5505 in an existing network

Posted on 2009-04-21
Medium Priority
Last Modified: 2012-08-14
We are currently happily running a SBS2003 server, servicing approx. 60 clients, with dual NICs and an ADSL router. All is working perfectly. We now have a client that wants us to connect 20+ of our users to their corporate network, to access their internal databases. They have a Cisco VPN concentrator and are asking us to install a Cisco ASA 5505 VPN device on our network to enable this VPN connection.

My first question is where (physically) do we need to place this device? I am assuming it should sit in between the external NIC of our server and our ADSL router. If we do this how will it a) affect all our users currentt access to the Internet etc. and b) know how to route requests to the clients network via the VPN?

The above infers that there will be follow up questions so be prepared to earn your points! :-)


Question by:midocean
  • 4
  • 3
LVL 28

Expert Comment

ID: 24199529
Yes, it will need to be between the external NIC on the SBS server and the ADSL router.

If the ASA is properly pre-configured, and you put it in service outside of normal business hours, I doubt your users will even notice.

How many interfaces does the ASA have?  I would suggest three interfaces - One for the LAN, one for the DMZ/external NIC on server, and one for the ADSL router.

Then the VPN terminates on the ASA, and gets routed via the LAN interface.  The server still connects to the Internet via the external NIC.

Alternately, you can disable the external NIC on the SBS server, and have the ASA connect to the LAN.  This will make your ISA implementation obsolete, though, if you are using it.  You will no longer be able to configure Internet access based on user account.


Author Comment

ID: 24199845
Hi Asavener

Thanks for the prompt reply. I have pre-configured the ASA with 2 interfaces, one for the LAN and one for the ADSL router. We are running SBS standard edition so ISA is not an issue, although we are using the dual NIC setup as a SBS basic firewall.

I woud love to do this out of hours, unfortunately the client wants to attempt it tomorrow afternoon so we can involve AT&T here in the UK and in the States!

Going down the route you suggest (if I understand it correctly) I would have one port (0) on the same subnet as the ADSL router, one port (1) on the same subnet as the SBS external NIC and one port (2) on the same subnet as the internal private IP subnet?

I presume there is then some routing to setup on the ASA to allow all current traffic between ports 0 & 1?
LVL 28

Expert Comment

ID: 24200237
I'm confused.  How many interfaces are on the ASA?
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.


Author Comment

ID: 24200311
8 in total. Interface 0 normally reserved for WAN and the rest configurable.
LVL 28

Accepted Solution

asavener earned 1500 total points
ID: 24201093
OK, my suggestion is this:

Configure interface 0 as the outside (ADSL) interface.
Configure interface 1 as the dmz (SBS2003 outside NIC) interface.
Configure interface 2 as the inside (LAN) interface.


Author Comment

ID: 24202280
Thanks, I'll try that today and let you know how I get on.

Author Closing Comment

ID: 31573038
Thanks for your help. I ended up running the ASA in parallel with the SBS-to-Router connection and using DNS to pass requests to the client VPN via the ASA.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question