Cisco ASA 5510 & 2811 VPN Router

We currently have a Cisco ASA 5510 setup with a DMZ  for Citrix Secure Gateway Access.  We are in the process of implementing new hardware/software and the vendor is requesting that we purchase an additional Cisco 2811 VPN router to create a tunnel for them to have access to the new servers.  Their recommendation was to set the new router publicly in front of/separate from the ASA and then inside LAN connection would be connected to the DMZ behind the ASA 5510.  By doing this, do we then need to configure NAT rules or static routes so that when traffic going through the 2811 falls in the 5510 DMZ there is a route to our corporate LAN for server access that is still secure?  My initial question was why not just create a VPN tunnel using the ASA and eliminate the 2811 all together and not route anything through the DMZ?
CMCITDAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marius GunnerudSenior Systems EngineerCommented:
I don't see a need for the 2811.  But one thing to take into account is the capacity of the ASA, thoughput, vpn through put, max connections...etc. If the ASA is sufficient to meet your requirements then there is no need to buy more equipment.  Just create a VPN form the ASA as you mentioned.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert Sutton JrSenior Network ManagerCommented:
What type of license do you currently have on your ASA5510? Secondly, look at the bigger picture. What resource(s) "Exactly" do they need access to? Having a vendor request you purchase another router (2811 in this case) for the sole purpose of accessing a local resource(s) is absurd. Especially if you already have a capable device in place. Let us know.
0
CMCITDAuthor Commented:
Resources are of no concern.  We are using this ASA for 2 vpn tunnels with only 2 client workstations on the other endso throughput is nowhere near max.  The Vendor is a major EMR vendor that I believe is attempting a strong arm approach at purchasing additional hardware.  The 2811 sole purpose would only be used if the company needs to remote in and troubleshoot issues with servers that we cannot handle ourselves so yes it is absurd.  THanks for both of your input on this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.