ASA 5505 RA VPN Endpoint - On a stick

This is more of a design question than anything.

I want to configure an ASA 5505 to handle RA VPN connections... Simple. Except instead of the outside interface connecting to the ISP, and the inside connecting to the internal network, I would like to use only ONE interface.

We already have a nice firewall in place, so this would connect to the firewall on a DMZ subnet. That means that a VPN client would request a public IP on the firewall, which would get NAT'd to the IP of the ASA...

Are there any implications with this? I'm used to having a NO_NAT ACL (NAT 0) and stuff like that... Would I configure this on the firewall instead?

Find more posts tagged with

Comments

shednik

Are you saying something like this

Internet

| Firewall |

ASA
Internal network--- |

If so there are a few variables I would consider.

Is this an IPSec or SSL VPN?

I don't think a remote access VPN will work with an inbound NAT on IPSec, atleast it's never worked for me in my testing.

Since it's a 5505 why can't you just make the one interface a trunk and have and inside and outside vlan? You would have to have a public transfer network for the outside vlan and a transfer network for the inside vlan.

If it is an SSL VPN only it my work with a single NAT'd IP address but I would have to lab that out to confirm.

For NATing if you are on 8.3 you wouldn't have to worry about NAT, if you're not you would still need to I would think.

hope this helps...

joe

mzinz

shednik wrote: »

Are you saying something like this

Internet
| Firewall |
ASA
Internal network--- |

If so there are a few variables I would consider.

Is this an IPSec or SSL VPN?

I don't think a remote access VPN will work with an inbound NAT on IPSec, atleast it's never worked for me in my testing.

Since it's a 5505 why can't you just make the one interface a trunk and have and inside and outside vlan? You would have to have a public transfer network for the outside vlan and a transfer network for the inside vlan.

If it is an SSL VPN only it my work with a single NAT'd IP address but I would have to lab that out to confirm.

For NATing if you are on 8.3 you wouldn't have to worry about NAT, if you're not you would still need to I would think.

hope this helps...

joe

Hard to tell what you were trying to diagram... Damn ASCII

. Here's what I'm talking about though: Whoops! - TinyGrab

Is that what you were describing?

shednik

Yea pretty much, since it's a 5505 you can create a trunk link on the firewall and ASA for an inside and outside vlan which will serve as transfer networks.
Then you can setup your routing like this

Default --> Firewall interface for outside vlan
Internal Routes--> Firewall interface for inside vlan

mzinz

shednik wrote: »

Yea pretty much, since it's a 5505 you can create a trunk link on the firewall and ASA for an inside and outside vlan which will serve as transfer networks.
Then you can setup your routing like this

Default --> Firewall interface for outside vlan
Internal Routes--> Firewall interface for inside vlan

Very interesting. Thanks for the recommendation.