ASA 5505 RA VPN Endpoint - On a stick
This is more of a design question than anything.
I want to configure an ASA 5505 to handle RA VPN connections... Simple. Except instead of the outside interface connecting to the ISP, and the inside connecting to the internal network, I would like to use only ONE interface.
We already have a nice firewall in place, so this would connect to the firewall on a DMZ subnet. That means that a VPN client would request a public IP on the firewall, which would get NAT'd to the IP of the ASA...
Are there any implications with this? I'm used to having a NO_NAT ACL (NAT 0) and stuff like that... Would I configure this on the firewall instead?
I want to configure an ASA 5505 to handle RA VPN connections... Simple. Except instead of the outside interface connecting to the ISP, and the inside connecting to the internal network, I would like to use only ONE interface.
We already have a nice firewall in place, so this would connect to the firewall on a DMZ subnet. That means that a VPN client would request a public IP on the firewall, which would get NAT'd to the IP of the ASA...
Are there any implications with this? I'm used to having a NO_NAT ACL (NAT 0) and stuff like that... Would I configure this on the firewall instead?
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801
Comments
-
shednik
Member Posts: 2,005
Are you saying something like this
Internet
| Firewall |
ASA
Internal network--- |
If so there are a few variables I would consider.
Is this an IPSec or SSL VPN?
I don't think a remote access VPN will work with an inbound NAT on IPSec, atleast it's never worked for me in my testing.
Since it's a 5505 why can't you just make the one interface a trunk and have and inside and outside vlan? You would have to have a public transfer network for the outside vlan and a transfer network for the inside vlan.
If it is an SSL VPN only it my work with a single NAT'd IP address but I would have to lab that out to confirm.
For NATing if you are on 8.3 you wouldn't have to worry about NAT, if you're not you would still need to I would think.
hope this helps...
joe -
mzinz
Member Posts: 328
Are you saying something like this
Internet
| Firewall |
ASA
Internal network--- |
If so there are a few variables I would consider.
Is this an IPSec or SSL VPN?
I don't think a remote access VPN will work with an inbound NAT on IPSec, atleast it's never worked for me in my testing.
Since it's a 5505 why can't you just make the one interface a trunk and have and inside and outside vlan? You would have to have a public transfer network for the outside vlan and a transfer network for the inside vlan.
If it is an SSL VPN only it my work with a single NAT'd IP address but I would have to lab that out to confirm.
For NATing if you are on 8.3 you wouldn't have to worry about NAT, if you're not you would still need to I would think.
hope this helps...
joe
Hard to tell what you were trying to diagram... Damn ASCII
. Here's what I'm talking about though: Whoops! - TinyGrab
Is that what you were describing?_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801 -
shednik
Member Posts: 2,005
Yea pretty much, since it's a 5505 you can create a trunk link on the firewall and ASA for an inside and outside vlan which will serve as transfer networks.
Then you can setup your routing like this
Default --> Firewall interface for outside vlan
Internal Routes--> Firewall interface for inside vlan -
mzinz
Member Posts: 328
Yea pretty much, since it's a 5505 you can create a trunk link on the firewall and ASA for an inside and outside vlan which will serve as transfer networks.
Then you can setup your routing like this
Default --> Firewall interface for outside vlan
Internal Routes--> Firewall interface for inside vlan
Very interesting. Thanks for the recommendation._______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801