Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5510 & 2811 VPN Router

Posted on 2012-03-23
3
Medium Priority
?
982 Views
Last Modified: 2012-03-26
We currently have a Cisco ASA 5510 setup with a DMZ  for Citrix Secure Gateway Access.  We are in the process of implementing new hardware/software and the vendor is requesting that we purchase an additional Cisco 2811 VPN router to create a tunnel for them to have access to the new servers.  Their recommendation was to set the new router publicly in front of/separate from the ASA and then inside LAN connection would be connected to the DMZ behind the ASA 5510.  By doing this, do we then need to configure NAT rules or static routes so that when traffic going through the 2811 falls in the 5510 DMZ there is a route to our corporate LAN for server access that is still secure?  My initial question was why not just create a VPN tunnel using the ASA and eliminate the 2811 all together and not route anything through the DMZ?
0
Comment
Question by:CMCITD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 17

Accepted Solution

by:
Marius Gunnerud earned 1000 total points
ID: 37758513
I don't see a need for the 2811.  But one thing to take into account is the capacity of the ASA, thoughput, vpn through put, max connections...etc. If the ASA is sufficient to meet your requirements then there is no need to buy more equipment.  Just create a VPN form the ASA as you mentioned.
0
 
LVL 15

Assisted Solution

by:Robert Sutton Jr
Robert Sutton Jr earned 1000 total points
ID: 37765380
What type of license do you currently have on your ASA5510? Secondly, look at the bigger picture. What resource(s) "Exactly" do they need access to? Having a vendor request you purchase another router (2811 in this case) for the sole purpose of accessing a local resource(s) is absurd. Especially if you already have a capable device in place. Let us know.
0
 

Author Closing Comment

by:CMCITD
ID: 37765858
Resources are of no concern.  We are using this ASA for 2 vpn tunnels with only 2 client workstations on the other endso throughput is nowhere near max.  The Vendor is a major EMR vendor that I believe is attempting a strong arm approach at purchasing additional hardware.  The 2811 sole purpose would only be used if the company needs to remote in and troubleshoot issues with servers that we cannot handle ourselves so yes it is absurd.  THanks for both of your input on this.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question