Solved

Add Cisco ASA5505 into existing network for VPN access

Posted on 2014-02-24
3
1,263 Views
Last Modified: 2014-07-13
We have an existing networking which we are looking to add an ASA5505 to provide Anyconnect VPN access.

I am looking for some advise on what the best place to add this will be based on the network description below.

Currently we have a single Cisco router doing all our network services including DMVPN, WebVPN, GRE Tunnel endpoint for our portable /24, NAT, firewall, VLANs.

Gig0/0 - WAN (ISP allocated Static IP address)
Gig0/1 - Our DMZ (which is the GRE tunnel routed to this interface)
Gig0/2 - Our Internal Networks (2 VLANs Voice/Data) configured as a DOT1Q trunk.

Our public subnet is provided via a GRE tunnel from our ISP and we decap this on the router
WebVPN runs on this router and uses the WAN address for SSL access.
We run a DMVPN for our branches where this router is the hub.
NAT runs between G0/0 and G0/2
High number of FW rules between various interfaces

Primarily I want the ASA to take over the VPN access as the IOS WebVPN has a number of limitations.  The VPN will allow access to our Internal Networks AND those networks on our DMVPN network.   I was going to use part of the DMZ /24 to give the ASA a public address.

As I think I will need to do some rearchitecting anyway (I cannot just throw the ASA in the VPN and connect the other port to the restricted network), I was thinking of moving the DMZ off the router and onto this ASA.  I do have a concern though that the ASA cannot do GRE so I may need to throw a small router in front to do the GRE decap before the ASA.

The other thing I need to look at is whether I can move the DMVPN tunnels onto the ASA (note - does not need to be DMVPN but I do need to be able to use dynamic client endpoints).  

Advise anyone ?
0
Comment
Question by:RescueIT
  • 2
3 Comments
 
LVL 20

Expert Comment

by:agonza07
ID: 39887060
How many VPN devices do you have? Sounds like you might want to upgrade the ASA to a 5510 or something (I know they are EOL, but you get my drift.)

I would let the ASA handle your firewall and VPN capabilities. That's what is what designed for.

You can not terminate the GRE tunnel, but you can use the ASA to encrypt the tunnel. Please see this link.
http://allthingsnetworking.wordpress.com/2012/09/21/encrypt-your-gre-tunnel-with-cisco-asa/

So you have your ASA doing the encryption/decryption, and you just have your router doing the routing. Depending on how you have your set up from the ISP, you may not need a router in front of the ASA.

ASA can handle dynamic endpoints as well.
0
 

Author Comment

by:RescueIT
ID: 39887256
I have only the one ASA5505.  Our DMVPN endpoints are IOS routers (we have 3 DMVPN endpoints) so I dont think we need anything bigger than the 5505.

I need to decap the GRE at the first hop in order to allow me to subnet this otherwise I wont have enough public IP addresses to use to connect the ASA to the router.

I need to look at the dynamic endpoint capability for the ASA - but my understanding is that we cannot carry a routing protocol over this.
0
 
LVL 20

Accepted Solution

by:
agonza07 earned 500 total points
ID: 39887915
I think you'll need a router to decap the GRE in front of the ASA then if that's how the ISP has their end configured.

With 3 VPN tunnels you should be good on the ASA 5505, just keep an eye on that CPU.

You won't be able to carry the routing protocol on the ASA, but you can do the encryption and pass the routing to your router to handle that. I currently use this model as a backup to our MPLS circuits. I have GRE tunnels with the IPSEC piece terminating at the ASA and just passing the GRE traffic to my MPLS router for it to handle the dynamic routing. If my MPLS link goes down, it automatically picks up the GRE link. That first link I sent above shows how to do this.

Please see this link below for more info on DMVPN on ASA. Looks like you'll need to convert those tunnels.
https://supportforums.cisco.com/thread/2026055

You can set up a site-to-site tunnel using a dynamic-to-static configuration.

DMVPN is only supported on cisco routers, so not possible to implement it in routers.
This is because DMVPN still uses GRE which is supported only on routers.

Here's an example of a site-to-site when one end has a dynamic IP address assigned:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now