cfan73
asked on
Multi-purpose ASA - single public address for Internet, remote access VPN & site-to-site VPN?
Scenario: small company with two locations - the main site has a 10-Mb fiber Internet connection, the other a 45-Mb DSL connection. The sites will communicate via a site-to-site IPsec VPN, and remote clients will connect to the primary site using both IPsec and SSL VPN (hopefully). I have a couple questions:
1) Since both of these sites have Ethernet hand-offs, and will not carry Internet routes, can I simply use a Cisco ASA at each (as opposed to an actual router, such as an ISR)? If there's a reason why a real router might still be purposed in this environment, please advise.
2) At the primary site, can a single ASA (sized appropriately) be assigned a single public IP on the outside interface, and handle outbound Internet traffic, the site-to-site VPN, and both types of remote VPN clients? Can one interface/IP be used for all of these things concurrently?
3) Lastly, if the primary site also had a DSL connection to the Internet, could the ASA be configured to automatically failover to this secondary connection if the primary fiber connection was lost? (Not sure how this could be done w/o destroying all of the VPN connections)
Thank you, and links/references are always helpful!
1) Since both of these sites have Ethernet hand-offs, and will not carry Internet routes, can I simply use a Cisco ASA at each (as opposed to an actual router, such as an ISR)? If there's a reason why a real router might still be purposed in this environment, please advise.
2) At the primary site, can a single ASA (sized appropriately) be assigned a single public IP on the outside interface, and handle outbound Internet traffic, the site-to-site VPN, and both types of remote VPN clients? Can one interface/IP be used for all of these things concurrently?
3) Lastly, if the primary site also had a DSL connection to the Internet, could the ASA be configured to automatically failover to this secondary connection if the primary fiber connection was lost? (Not sure how this could be done w/o destroying all of the VPN connections)
Thank you, and links/references are always helpful!
ASKER
Thank you for your response - couple follow-up questions, and I think we'll be done:
2) Just confirming again - you're saying that the single public IP can handle the two types of VPN's (actually three: site-to-site IPsec, remote IPsec and remote SSL VPN), yes? PLUS, there's no problem in having normal Internet traffic traverse this single public IP? (I guess I had concerns about how the ASA would distinguish the different types of incoming traffic (VPN/non-VPN, etc.)
3) Is IP SLA supported on the ASA's? I haven't dug in, but have dealt w/ this feature before (to a degree), and thought it was just available for routers.... If it works, then yes, config examples from an ASA would be awesome!
Thanks again!!!
2) Just confirming again - you're saying that the single public IP can handle the two types of VPN's (actually three: site-to-site IPsec, remote IPsec and remote SSL VPN), yes? PLUS, there's no problem in having normal Internet traffic traverse this single public IP? (I guess I had concerns about how the ASA would distinguish the different types of incoming traffic (VPN/non-VPN, etc.)
3) Is IP SLA supported on the ASA's? I haven't dug in, but have dealt w/ this feature before (to a degree), and thought it was just available for routers.... If it works, then yes, config examples from an ASA would be awesome!
Thanks again!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome - thank you!
1. An ASA can route for most small businesses with no problems at all an replace the need for a router, it can't do policy based routing but for a smaller sized shop no worries there.
2. A single IP can handle both types of VPN as VPN endpoints are usually terminated on the interface's IP it doesn't matter the block size, if you have a lot of web servers, and or PATs needed that will get a little crowded PATing a single address but otherwise it should work perfectly.
3. Take a look at what is called IP SLA you can use this to automatically track routes based on conditions, such as ICMP echo Replys and remove the route from the routing table. If you have questions on this let me know I can provide examples of this configuration.