Re: Configure ASA5510 to allow "outbound" VPN connections

"Bob Ruiz" <bob.ruiz@xxxxxxx> wrote in message
news:1152917355.356288.35260@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We need to modify our Cisco ASA5510 security device to allow multiple
(simultaneous) "outbound" VPN client connections to a Cisco 3000 VPN
host device, AND support the following "existing" infrastructure:

- Several "site-to-site" VPN connections between the ASA5510 security
device and other firewalls

- Accept several (simultaneous) "inbound" VPN connections

- Single external IP address for all outbound connections (I believe
this is called NAT/PAT...)

Note: The added complexity is that the Cisco 3000 VPN device does not
have "IPSec over UDP" enabled (NAT-Traversal ?), nor will it have
"IPSec over TCP" enabled (NAT-TCP ?). (Corporate policy - currently
being debated)

The specific questions are...

Is it possible to configure the ASA5510 to support the "outbound"
connections? If so, how ?

cannot help with this bit.

Would it have been possible with "IPSec over UDP"? ..."IPSec over
TCP"?

i think it is the other way - if you are doing address translation on the
ASA, then IPsec is not going to work (or at least the authentication part) -
the reason is that the encryption includes the end point addresses, and NAT
is going to change that (unless you are set to translate an address to the
same address?)

So - UDP or TCP encap is going to be needed to allow the VPN3000 to "talk"
to end points where the VPN client sessions cross an address translation
point.

Given typical remote access VPN use with many users operating from
corporates, or from home where address translation is part of the network
border - you probably need it for most applications these days.

FWIW UDP encap works best with reasonably good connectivity, and high speed
links (eg a home broadband connection).
TCP is OK where the firewall blocks UDP, doesnt keep session state for some
reason, or where you have a poor connection (classic example for me is
across a GPRS link).
But TCP can cause a lot of slowdown, since the TCP session will back off
under packet loss, affecting all traffic for that VPN link.

Any help would be greatly appreciated !!

Bob

--
Regards

stephen_hope@xxxxxxxxxxxx - replace xyz with ntl


.

Relevant Pages

  • Re: Industry Standard Security and guest wifi access best practice
    ... with IPSEC VPN clients has not been positive. ... Then they probably won't support other forms of security. ... to switch all connections into SSL mode. ... Use WPA to encrypt wireless traffic, ...
    (alt.internet.wireless)
  • Configure ASA5510 to allow "outbound" VPN connections
    ... We need to modify our Cisco ASA5510 security device to allow multiple ... "outbound" VPN client connections to a Cisco 3000 VPN ... Accept several "inbound" VPN connections ... Single external IP address for all outbound connections (I believe ...
    (comp.dcom.sys.cisco)
  • Re: VPN between office and Home
    ... Hard Drive as my second location backup for my SBS2003. ... On the XP box at home, go to Control Panel -> Network Connections. ... for my second location backup my main server files. ... That is why I want to get a VPN ternnel instead of client VPN or RWW. ...
    (microsoft.public.windows.server.sbs)
  • IPS
    ... We need to modify our Cisco ASA5510 security device to allow multiple ... "outbound" VPN client connections to a Cisco 3000 VPN ... Accept several "inbound" VPN connections ... Single external IP address for all outbound connections (I believe ...
    (comp.dcom.sys.cisco)
  • Re: DNS resolution order with multihomed host
    ... I'll try with the VPN ... >> public through Internet. ... > connections through PPTP are by private addresses and are encrypted. ... > need to be open for Active Directory. ...
    (microsoft.public.windows.server.dns)