Solved

Cisco ASA 5510 & 2811 VPN Router

Posted on 2012-03-23
3
973 Views
Last Modified: 2012-03-26
We currently have a Cisco ASA 5510 setup with a DMZ  for Citrix Secure Gateway Access.  We are in the process of implementing new hardware/software and the vendor is requesting that we purchase an additional Cisco 2811 VPN router to create a tunnel for them to have access to the new servers.  Their recommendation was to set the new router publicly in front of/separate from the ASA and then inside LAN connection would be connected to the DMZ behind the ASA 5510.  By doing this, do we then need to configure NAT rules or static routes so that when traffic going through the 2811 falls in the 5510 DMZ there is a route to our corporate LAN for server access that is still secure?  My initial question was why not just create a VPN tunnel using the ASA and eliminate the 2811 all together and not route anything through the DMZ?
0
Comment
Question by:CMCITD
3 Comments
 
LVL 17

Accepted Solution

by:
MAG03 earned 250 total points
ID: 37758513
I don't see a need for the 2811.  But one thing to take into account is the capacity of the ASA, thoughput, vpn through put, max connections...etc. If the ASA is sufficient to meet your requirements then there is no need to buy more equipment.  Just create a VPN form the ASA as you mentioned.
0
 
LVL 15

Assisted Solution

by:Robert Sutton Jr
Robert Sutton Jr earned 250 total points
ID: 37765380
What type of license do you currently have on your ASA5510? Secondly, look at the bigger picture. What resource(s) "Exactly" do they need access to? Having a vendor request you purchase another router (2811 in this case) for the sole purpose of accessing a local resource(s) is absurd. Especially if you already have a capable device in place. Let us know.
0
 

Author Closing Comment

by:CMCITD
ID: 37765858
Resources are of no concern.  We are using this ASA for 2 vpn tunnels with only 2 client workstations on the other endso throughput is nowhere near max.  The Vendor is a major EMR vendor that I believe is attempting a strong arm approach at purchasing additional hardware.  The 2811 sole purpose would only be used if the company needs to remote in and troubleshoot issues with servers that we cannot handle ourselves so yes it is absurd.  THanks for both of your input on this.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question