[fw-wiz] Issue with replacing SonicWall VPN with Cisco ASA VPN devices




Hello Wizards,

Our network team is replacing the client's SonicWall devices with Cisco
ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices
were basically used as VPN endpoints in remote offices to be
concentrated back to the corporate HQ. All traffic not destined for the
local LAN in the remote offices was sent to the corporate office via the
"Route all traffic through this SA" functionality in the SonicWall. This
worked well for the environment, but now there is the need to replace
these devices, and Cisco ASA devices have been chosen.

They are now trying to duplicate that functionality via the Cisco
devices, but in talking with Cisco TAC, they say such a configuration is
not possible, and even if it were, it would not be a security best
practice. Implementation of the Cisco device has broken all Internet
connectivity from the remote offices, since the only traffic allowed out
to/from the Internet is through HQ (with the exception of the site to
site VPN traffic to allow connectivity between remote offices and HQ).
Remote offices can see everything on the HQ LAN, because the Cisco
device is configured with IP information that allows it to route traffic
to HQ.

I can see some of Cisco's arguments regarding it not being a security
best practice, but in the scenario of centralized management and
monitoring of Internet-bound traffic, has anyone successfully configured
the Cisco devices to mimic the "Route all traffic through this SA"
functionality present in the SonicWall devices? I understand they could
open up the Cisco devices to allow traffic out from each office, but
that would require monitoring every remote office, and deviates from the
centralized monitoring/management path we are currently traversing. I
haven't personally been involved in this implementation, but was
approached by the network team due to my security background, so I can
get more details from the network team if necessary.

We are simply trying to mimic in the Cisco devices the "Route all
traffic through this SA" functionality present in the SonicWall devices.

Thoughts?

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards