ASA 5520 with multiple inside/outside VLANs for VPN termination

Discussion in 'Cisco' started by maxprophet, Dec 19, 2007.

  1. maxprophet

    maxprophet Guest

    All,

    I was hoping to get some confirmation that this will work as I've
    never tried it.

    My Scenario:
    ASA 5520 that hasn't arrived yet.

    Multiple outside VLANs as bandwidth contracts/SLA vary between
    partners:
    Partner A
    Partner B
    Corp

    Multiple inside VLANs at our edge corresponding to these partners with
    traffic separation within our campus:
    Partner A
    Partner B
    Corp

    I would like to be able to terminate VPNs on the outside using
    multiple logical interfaces corresponding to the outside VLANs. I
    would like these VPNs to flow through to the appropriate logical
    interface corresponding to the VLANs on the inside. Basically I am
    guaranteeing that the VPNs for any given partner are terminated using
    bandwidth allocated to them as the ISP handles the bandwidth
    allocations by providing us the outside VLANs.

    Anyhow, I am assuming I would just set this up like any other VPN
    arrangement terminating my tunnels on the appropriate logical
    'outside' interfaces. I am then assuming that traffic would flow
    properly based on the ACLs used for the match addresses as traffic
    would be recognized as being local to the appropriate logical
    'internal' interfaces. There is no IP overlap on the 'inside'. Will
    this work? Do I have to take any other steps to ensure traffic
    separation? Thanks!

    -Kevin
     
    maxprophet, Dec 19, 2007
    #1
    1. Advertisements

  2. maxprophet

    Anthony Guest

    Since you are going with the 5520, why not look into running your
    firewall in context mode. Which is basically creating separated
    logical firewalls within your one piece of hardware. Then you can
    technically have a separate FW for each partner and your corp
    network. Separate IPs, routes, administrators, VPN configs,
    everything.
     
    Anthony, Dec 20, 2007
    #2
    1. Advertisements

  3. maxprophet

    mcaissie Guest

    Be carefull with context mode . Some features are not supported especially
    VPN;

    "Many features are supported in multiple context mode, including routing
    tables, firewall features, IPS, and management. Some features are not
    supported, including VPN and dynamic routing protocols. "

    ref:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html
     
    mcaissie, Dec 20, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.