ASA as a Default Gateway? Will it work?

Example.jpgI have a new warehouse coming online (Site 2) that I need to configure a site-to-site tunnel with. I'm stuck with having to try and make this configuration work with what they have but am a little confused. Site 1 has a bit more detail I didn't add to the drawing above as it doesn't pertain to Site 2.

Site 2 does not currently have a firewall. They purchased a Cisco ASA 5506 X, which is shown in the drawing, so we can create the tunnel. However, I found out that they only have 2 unmanaged switches. So from my understanding, I need to set their client's default gateway to point to the private interface on the ASA, they currently point to private interface on the Internet router, which will now have a public IP address along with the public interfaces of both the router and the ASA. Will this work? Will traffic from their LAN destined for the ASA know where to go? I can't point a route back to the LAN, there's nothing to point to.
Rick GoodmanNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
Yes, the ASA can work as Default Gateway nicely. Actually, that's probably what 90% of users do, as very few (apart from larger installations) use an internal L3 switch. Actually, I bet you are already using the ASA at site 1 as default gateway, apart from the fact that it is only configured as such on the L3 switch ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ken BooneNetwork ConsultantCommented:
Yes since site 2 only has 1 network, the inside interface of the ASA will be the default gateway for that network.  Should work like a champ.
Benjamin Van DitmarsSr Network EngineerCommented:
Are you going to put youre router in bridge mode to supply youre wan address to the ASA.
because youre going to setup a site to site vpn. else you need to do some nat on the router to forward port 500 to you asa to setup youre vpn.

and don't forget to add an route in the router that tells the way back for youre local subnet
to answer your "will the traffic go the right way" question - yes. the asa looks at ip addressing of packets from the site 2 clients. if the addresses match the vpn definition, the asa encrypts the traffic and sends through the tunnel. if the addresses do not match, the asa assumes its traffic for the internet, so performs nat functions and sends on to the router.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.