We have an existing networking which we are looking to add an ASA5505 to provide Anyconnect VPN access.
I am looking for some advise on what the best place to add this will be based on the network description below.
Currently we have a single Cisco router doing all our network services including DMVPN, WebVPN, GRE Tunnel endpoint for our portable /24, NAT, firewall, VLANs.
Gig0/0 - WAN (ISP allocated Static IP address)
Gig0/1 - Our DMZ (which is the GRE tunnel routed to this interface)
Gig0/2 - Our Internal Networks (2 VLANs Voice/Data) configured as a DOT1Q trunk.
Our public subnet is provided via a GRE tunnel from our ISP and we decap this on the router
WebVPN runs on this router and uses the WAN address for SSL access.
We run a DMVPN for our branches where this router is the hub.
NAT runs between G0/0 and G0/2
High number of FW rules between various interfaces
Primarily I want the ASA to take over the VPN access as the IOS WebVPN has a number of limitations. The VPN will allow access to our Internal Networks AND those networks on our DMVPN network. I was going to use part of the DMZ /24 to give the ASA a public address.
As I think I will need to do some rearchitecting anyway (I cannot just throw the ASA in the VPN and connect the other port to the restricted network), I was thinking of moving the DMZ off the router and onto this ASA. I do have a concern though that the ASA cannot do GRE so I may need to throw a small router in front to do the GRE decap before the ASA.
The other thing I need to look at is whether I can move the DMVPN tunnels onto the ASA (note - does not need to be DMVPN but I do need to be able to use dynamic client endpoints).
Advise anyone ?