mike0612
asked on
Two ASA's, a regular company ASA and new VPN ASA.
I Have a Cisco ASA for regular use, internet, vpn, ex. We are moving an application to the cloud and the company sent use another firewall (ASA) just for VPN purposes. I gave them a public and private address for the VPN device. I set this up with the LAN portion of the VPN Device connected to the switch which the switch port is trucked. The WAN portion is connected to a port on the company ASA. I set up a nat from the from the public IP I gave them and Private IP. I then set up an access list a number different ways. Most notably I opened everything up to see if I could access the VPN ASA but couldn't. Couldn't ping it either. Is there something I'm missing, do I need to add a glabal command allowing the same-security traffic because the internal of the vpn device and company asa has the same security level as does the wan portion.
ASKER
There is more to this that makes it even more confusing. Upper Management went ahead with this without saying anything to IT. I added a drawing, I need to make a better one so if it does;t help just say so.. The internal Lan is 192.168.1.# VPN-Device.pdf
Is that a Layer 3 switch? (can it at least to static routing?)
Pete
Pete
ASKER
The switch is Layer 3.
OK, the NEW ASA will need a public IP on the the outside of the OLD ASA
Then deploy it like this
Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall
Finally you will need to add the Routes on the L3 switch to route the VPN networks to the inside of the NEW ASA.
Job done, in addition if you are deploying AnyConnect you will need to open TCP443 as well as the ISAKMP ports I mentioned in that article.
P
Then deploy it like this
Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall
Finally you will need to add the Routes on the L3 switch to route the VPN networks to the inside of the NEW ASA.
Job done, in addition if you are deploying AnyConnect you will need to open TCP443 as well as the ISAKMP ports I mentioned in that article.
P
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
I any case, as I understand things, client PCs now have TWO possible gateways they can use:
1. The original ASA.
2. The supplied ASA.
Thus, client PCs will need to have a route added, so they know where to send traffic for the new cloud app.
For example. you might be using 10.0.0.254/24 range on your internal LAN, with the original ASA on 10.0.0.254, and the supplied one at 10.0.0.253, with the cloud app using 192.168.50.254/24.
In this case, your client machines would need an IP in the 10.0.0.0 - 10.0.0.252 range, (usually via DHCP), a default gateway of 10.0.0.254, and a route for 192.168.50.254/24, via 10.0.0.253.
The following command will add such a route on Windows:
Route ADD 192.168.50.0 MASK 255.255.255.0 10.0.0.253