Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco ASA VPN devices
- From: robbie.jacka@xxxxxxxxxxx
- Date: Thu, 27 Sep 2007 10:46:59 -0500
Caveat: this has only been fixed in 7.2(1) and later, if memory serves.
Robbie
Anthony
<ez4me2c3d@gmail.
com> To
Sent by: Firewall Wizards Security Mailing
firewall-wizards- List
bounces@listserv. <firewall-wizards@xxxxxxxxxxxxxxxxx
icsalabs.com .com>
cc
"Behm, Jeffrey L." <BehmJL@xxxxxx>,
09/26/2007 07:33 firewall-wizards-bounces@xxxxxxxxxx
PM csalabs.com,
michael@xxxxxxxxxxxxxxxxx
Subject
Please respond to Re: [fw-wiz] Issue with replacing
Firewall Wizards SonicWall VPN with Cisco ASA VPN
Security Mailing devices
List
<firewall-wizards
@listserv.icsalab
s.com>
Robbie,
The ASA code 7.x has addressed VPN hairpinning with the
same-security-traffic permit intra-interface command.
I've done it several times with great success. And with proper ACLs and
routes you can direct the traffic where ever you want.
Jeff,
What you are trying to do is possible on the ASAs. You're basically
setting up a hub/spoke vpn model with l2l's between HQ and remote
offices. Cisco.com has documents on how to set this up.
References:
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807f9a89.shtml
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
General Configuration Examples
http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html
Anthony
robbie.jacka@xxxxxxxxxxx wrote:
The biggest possible issue is hairpinning the internet-bound trafficinside
of the 5520, not tunneling the traffic back from the 5505s. PIX 6.x has
traditionally had a problem with this, if I recall correctly, and I'm not
sure that it's been fixed in PIX 7.x/ASA code
Robbie
Michael Cox
<michael@wanderin
gbark.net>To
Sent by:firewall-wizards@xxxxxxxxxxxxxxxxxx
firewall-wizards- com
bounces@listserv.cc
icsalabs.com "Behm, Jeffrey L." <BehmJL@xxxxxx>
Subject
Re: [fw-wiz] Issue with replacing
09/26/2007 09:25 SonicWall VPN with Cisco ASA VPN
AM devices
Please respond to
Firewall Wizards
Security Mailing
List
<firewall-wizards
@listserv.icsalab
s.com>
For clarification, are there clients connecting to the 5505's, or is it
just a site-to-site setup?
In any case, what you want to do should be possible. When you define the
ACL for what traffic goes down the tunnel from the branch to the hub,
simply do "permit ip <LAN network address> <LAN netmask> any". Reverse
this on the hub.
I'm stumped as to why they think this is a security issue.
Maybe TAC didn't understand what you want to do (or maybe I don't).
Regards,
Michael
On Tuesday 25 September 2007 09:03, Behm, Jeffrey L. wrote:
Hello Wizards,_______________________________________________
Our network team is replacing the client's SonicWall devices with
Cisco ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall
devices were basically used as VPN endpoints in remote offices to be
concentrated back to the corporate HQ. All traffic not destined for
the local LAN in the remote offices was sent to the corporate office
via the "Route all traffic through this SA" functionality in the
SonicWall. This worked well for the environment, but now there is the
need to replace these devices, and Cisco ASA devices have been
chosen.
They are now trying to duplicate that functionality via the Cisco
devices, but in talking with Cisco TAC, they say such a configuration
is not possible, and even if it were, it would not be a security best
practice. Implementation of the Cisco device has broken all Internet
connectivity from the remote offices, since the only traffic allowed
out to/from the Internet is through HQ (with the exception of the
site to site VPN traffic to allow connectivity between remote offices
and HQ). Remote offices can see everything on the HQ LAN, because the
Cisco device is configured with IP information that allows it to
route traffic to HQ.
I can see some of Cisco's arguments regarding it not being a security
best practice, but in the scenario of centralized management and
monitoring of Internet-bound traffic, has anyone successfully
configured the Cisco devices to mimic the "Route all traffic through
this SA" functionality present in the SonicWall devices? I understand
they could open up the Cisco devices to allow traffic out from each
office, but that would require monitoring every remote office, and
deviates from the centralized monitoring/management path we are
currently traversing. I haven't personally been involved in this
implementation, but was approached by the network team due to my
security background, so I can get more details from the network team
if necessary.
We are simply trying to mimic in the Cisco devices the "Route all
traffic through this SA" functionality present in the SonicWall
devices.
Thoughts?
Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Prev by Date: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco ASA VPN devices
- Previous by thread: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco ASA VPN devices
- Next by thread: Re: [fw-wiz] Issue with replacing SonicWall VPN with Cisco ASA VPN devices
- Index(es):
Relevant Pages
|
|
