Need help with site to site VPN via ASA 5510

I would like to ask the people on this great board that have more experience than me, how I should go about this. I do not want to create a security vulnerability. We are in the planning stage at the moment.

My issue is that I have a vendor that wants to setup a site to site VPN for VOIP on 5 ip phones. These will be monitored and maintained by the vendor. These phones will not have access to our internal network. As far as the network goes I am thinking to just setup a vlan for this and write ACLs to keep the vlan separate. This would get trunked backed to our core.

As for our border firewall we have an ASA 5510. What are my options to have a site to site VPN connecting to this vlan and what are my security risks. I am sure there are many ways to do this but I am asking the advice of the professionals here. Can someone give me some insite.

We do have an interface on the 5510 that is not being used. Thank you in advance for your ideas.

Find more posts tagged with

Comments

Shanman

Ok after thinking about this all day I think I have come up with a solution. Please advise if I am wrong here.

I have a /27 with some free address space from my ISP and an available interface on my ASA 5510. I am thinking of defining the interface on the ASA with a private IP 10.18.11.1/24. Then I can NAT my public address to 10.18.11.1/24.

Then I can setup my site to site VPN with the public address and use ACLs on the inside to keep the traffic separate. Does this sound like a good solution for a site to site VPN that is separate from my internal network? Please keep in mind this vlan is for one use only and no other traffic in or out.

drkat

I'd just setup a regular site to site and tunnel your voice traffic to your media gateway on the other side

permit only the voice subnet

Shanman

Is this just to avoid doing NAT and removing a layer of complexity?

ayori

Shanman wrote: »

Ok after thinking about this all day I think I have come up with a solution. Please advise if I am wrong here.

I have a /27 with some free address space from my ISP and an available interface on my ASA 5510. I am thinking of defining the interface on the ASA with a private IP 10.18.11.1/24. Then I can NAT my public address to 10.18.11.1/24.

Then I can setup my site to site VPN with the public address and use ACLs on the inside to keep the traffic separate. Does this sound like a good solution for a site to site VPN that is separate from my internal network? Please keep in mind this vlan is for one use only and no other traffic in or out.

What is this NATing for?

Shanman

I still have not found a solution for this problem. They vendor does not want me to NAT on this end. He will NAT on his end. So here is my problem again. I have a single public address that I need to path through my network through switched trunks since this is a switch network. They are bring their own hardware that they want access to from this address to monitor their phones. I want to have this traffic completely separate from our internal network. Can someone please give me some suggestions on some solutions that will not negativity impact the security of our network? Our border firewall is an ASA 5510. Thank you in advance!

Shanman

Well I just got off the phone with the vendor. Since we have defined the entire /29 public IP address for our outside interface it looks like we will have to do some type of NAT on our end.

What a nice project to get for your first assignment.

Shanman

Well NAT is out of the question. We can not have a double NAT in this link. I need to some how get a raw public address down to a specific switchport. Any ideas how to do this that is secure?