Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco ASA VPN devices

Hi Jeff,

To make sure I properly understood the quest:

You have site to site VPN's between brach offices, and branch offices
also function as VPN endpoints. Now, a mobile worker in a brach office
connects to the BO VPN endpoint and you want the traffic destined to
HQ to use the tunnel, right?

Cisco will say no, because you cannot get out through the same
interface you came in (VPN client, VPN tunnel to HQ)

On a Sonicwall, "Route all traffic through this SA" basically adds a
static route just for that SA for the VPN users, and I think you
cannot do that with PIX. Your solution is a proxy in the branch
offices, that will change the source IP of the remote VPN mobile user,
and this will let you go through the VPN tunnel to the HQ.


On 9/25/07, Behm, Jeffrey L. <BehmJL@xxxxxx> wrote:

Hello Wizards,

Our network team is replacing the client's SonicWall devices with Cisco
ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices
were basically used as VPN endpoints in remote offices to be
concentrated back to the corporate HQ. All traffic not destined for the
local LAN in the remote offices was sent to the corporate office via the
"Route all traffic through this SA" functionality in the SonicWall. This
worked well for the environment, but now there is the need to replace
these devices, and Cisco ASA devices have been chosen.

They are now trying to duplicate that functionality via the Cisco
devices, but in talking with Cisco TAC, they say such a configuration is
not possible, and even if it were, it would not be a security best
practice. Implementation of the Cisco device has broken all Internet
connectivity from the remote offices, since the only traffic allowed out
to/from the Internet is through HQ (with the exception of the site to
site VPN traffic to allow connectivity between remote offices and HQ).
Remote offices can see everything on the HQ LAN, because the Cisco
device is configured with IP information that allows it to route traffic
to HQ.

I can see some of Cisco's arguments regarding it not being a security
best practice, but in the scenario of centralized management and
monitoring of Internet-bound traffic, has anyone successfully configured
the Cisco devices to mimic the "Route all traffic through this SA"
functionality present in the SonicWall devices? I understand they could
open up the Cisco devices to allow traffic out from each office, but
that would require monitoring every remote office, and deviates from the
centralized monitoring/management path we are currently traversing. I
haven't personally been involved in this implementation, but was
approached by the network team due to my security background, so I can
get more details from the network team if necessary.

We are simply trying to mimic in the Cisco devices the "Route all
traffic through this SA" functionality present in the SonicWall devices.


firewall-wizards mailing list

Best regards,

Julian Dragut
If you knew that you wouldn't fall, how far would you have gone?
firewall-wizards mailing list