Solved

Cisco ASA 5510 & 2811 VPN Router

Posted on 2012-03-23
3
966 Views
Last Modified: 2012-03-26
We currently have a Cisco ASA 5510 setup with a DMZ  for Citrix Secure Gateway Access.  We are in the process of implementing new hardware/software and the vendor is requesting that we purchase an additional Cisco 2811 VPN router to create a tunnel for them to have access to the new servers.  Their recommendation was to set the new router publicly in front of/separate from the ASA and then inside LAN connection would be connected to the DMZ behind the ASA 5510.  By doing this, do we then need to configure NAT rules or static routes so that when traffic going through the 2811 falls in the 5510 DMZ there is a route to our corporate LAN for server access that is still secure?  My initial question was why not just create a VPN tunnel using the ASA and eliminate the 2811 all together and not route anything through the DMZ?
0
Comment
Question by:CMCITD
3 Comments
 
LVL 17

Accepted Solution

by:
MAG03 earned 250 total points
ID: 37758513
I don't see a need for the 2811.  But one thing to take into account is the capacity of the ASA, thoughput, vpn through put, max connections...etc. If the ASA is sufficient to meet your requirements then there is no need to buy more equipment.  Just create a VPN form the ASA as you mentioned.
0
 
LVL 15

Assisted Solution

by:The_Warlock
The_Warlock earned 250 total points
ID: 37765380
What type of license do you currently have on your ASA5510? Secondly, look at the bigger picture. What resource(s) "Exactly" do they need access to? Having a vendor request you purchase another router (2811 in this case) for the sole purpose of accessing a local resource(s) is absurd. Especially if you already have a capable device in place. Let us know.
0
 

Author Closing Comment

by:CMCITD
ID: 37765858
Resources are of no concern.  We are using this ASA for 2 vpn tunnels with only 2 client workstations on the other endso throughput is nowhere near max.  The Vendor is a major EMR vendor that I believe is attempting a strong arm approach at purchasing additional hardware.  The 2811 sole purpose would only be used if the company needs to remote in and troubleshoot issues with servers that we cannot handle ourselves so yes it is absurd.  THanks for both of your input on this.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now