Building a VPN with Cisco ASA gear

The organization I work for recently bought a Cisco ASA 5510 and 3 ASA 5505s to replace some SonicWalls we have in a few group homes. They are going to be doing a site-to-site VPN tunnel so that the group homes can access our VoIP phones and also remote desktop into our terminal server. I have tried to test the ASAs from home; I have tried a few things but all were unsuccessful. Any thoughts? — Dale L. Bradford

Since you are moving from a different brand of firewall, you will want to work through this in stages. Keep good notes as you work through things, it will serve you well as you become more familiar with getting the firewalls to work.

The first thing I would do is look at the licenses on your respective firewalls. While Cisco refers to the different license levels, I have found the terminology a little different from what you would expect: Assuming the 5510 is a 10 user license and the 5505 have a 5 user license, if you come across VPN link from the 5505 side to the 5510 and call up a complex Web site, you will eat up all the licenses on the 5510 and the VPN connection will appear to fail because of the way licensing is handled on the Cisco ASA devices. So check the licenses between the ASAs that you have: If you have the 3 ASA 550s with a 10-user license installed on each one, you will want to add that license count to the number of users at the main office for the total license for the 5510. Assuming you have 20 users at the main office, you would want to have a license installed of at least 50 users on the ASA 5510. You may find that a higher license count is necessary on the 5510; you’ll need to do some testing to know for sure. You won’t really see this explained in the documentation, unfortunately.

Once you’ve dealt with the license issue, connect the two WAN ports together between the ASA 5510 and one of the 5505s. You may need to use a crossover cable to get link between the two firewalls. You can also try putting a switch between the two ASAs – a Layer 3 switch would be ideal, or try a router with 2 Ethernet interfaces. This will let you assign different IP addresses from different subnets to the respective ASAs you are testing. Set up a site-to-site VPN connection. Make sure that you can route properly between the two ASAs and can see all of the systems on each side of the connection. This will help you get a feel for setting up a VPN connection.

What you do next depends on how you want to get the sites connected. If you only want traffic intended for the servers at your main location to come across the VPN tunnel and allow the remaining Internet traffic to go out over the local connection directly, you will want to set up a split-tunneling configuration. This configuration will mean a little more maintenance work since you will have multiple sets of firewall rules to maintain. Forcing all the traffic back to the main office before allowing it to go out over the Internet will mean that the remote house locations will use the bandwidth you have twice, once for the incoming connection from the remote site and again for the resources on the Internet they are trying to access.

Since you are moving from one brand of VPN/firewall device to another, you have another decision to make: Whether to change all the devices out at once or to move to the new system in stages. Moving all at once will mean everyone will be down until you bring each site up. Moving things one site at a time will require your ISP to assign you additional IP addresses to allow the devices to operate in tandem until the move is complete. You will also need to put some static routes in at the main office to direct the traffic for a particular site to the correct vpn device until you have everyone converted to the new system. While this last option will be a little more work to get setup, I think you will find that it may make things a little easier make the move as it should help reduce some of the pressure during the conversion process.

Although the above isn’t the absolute complete answer, it should help you get started. Go to Cisco’s Web site and you should find several good reference documents that can help you walk through both of the configurations that I have discussed here. As you test these configurations, save copies when you have them working and keep them separately from the ASAs. Then erase the configuration and recreate it. This will help make sure that when you recreate the configuration and it doesn’t work the second or third time, that you have a base configuration to compare against to help fix it and help the troubleshooting process. Once you have your test configuration working, you will need to change to the actual IP addresses that your ISP has assigned to you and you should be ready to go.

Related Download
Five Key Issues for DNS: The Next Network Management Challenge Sponsor: F5 Networks
Five Key Issues for DNS: The Next Network Management Challenge
Download this whitepaper to learn the five issues that IT needs to think about around DNS and why, as well as how you can build a strong DNS foundation to maximize use of resources, secure DNS, and increase service management, while remaining agile.
Register Now