Adding a VPN Appliance

Let me preface this with this would be so much easier if I were able to use the Firebox to create the VPN but I don't have that option due to a SLA.

I have a vendor who will be providing a web based service that can only be connect to through a VPN connection. Yeah, I know that is weird but it is what it is. This same VPN connection will allow printing to local printers on our network using a print server on their end.

They will be shipping me a Cisco ASA 5506 preconfigured. They want an external IP address and an internal IP address to assign to their device. The easy way to configure this is to just plug the internal IP port into my core switch and use the switch to route traffic. I don't like this as I can't control the data flow from the outside vendor. They basically have cart blanche of my network.

If I were to connect this through my Firebox, what would be the best way to approach this? I have some ideas but I have to send the preconfig information to them and can't test different scenarios.

I'm currently configured with a block of 5 IP's from my ISP. Only two are in use by the Firebox. There is an internal trusted network. No VLANs. Fairly basic setup. Static IP's internally for devices.

Thanks in advance.


  • Options

    You could connect the internal ASA interface to an unused firewall interface and then use policies to control what packets are allowed to/from that IP addr.
    You just need to make sure that the printing and other functions would work with this setup to/from your LAN IP addrs.

  • Options

    Would I give the ASA's "local" port an IP that I would translate? Or an actual IP on my trusted network and bridge the ASA port to the trusted network?

  • Options

    An IP addr from a different subnet.
    Bridging would not allow packet control.

  • Options

    Thanks Bruce_Briggs. I think I've found a flow that will work for us. There is another hitch where the traffic going towards their webserver needs to have unique IP's for each user. Luckily we usually only have one person logged in 99% of the time. We'll have to deal with the other 1%.

Sign In to comment.