Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices

[Michael Cox <michael () wanderingbark net>]

On Tuesday 25 September 2007 19:20, Brett Cunningham wrote:
> Never used a SonicWall, but you should be able to tunnel all traffic
> through the vpn. To match the traffic, it's as simple as:
>
> (on roho asa) access-list to_hq ip any any
> (on hq asa) access-list to_ro ip any any
>
> Nothing else is required provided that the vpn is up and the subnet
> of the roho lan is different than the hq subnet.

Since there is one hub and multiple spokes, you can't do "ip any any". 
You need to specify the subnet(s) for each spoke in its respective acl.

Also, if the spokes need to talk to each other, don't forget 
the "same-security-traffic intra-interface" command. I'm assuming here 
that there is a single Internet interface for all VPN traffic on the 
hub.

Regards,
Michael


> On 9/25/07, Behm, Jeffrey L. <BehmJL () bv com> wrote:
> > Hello Wizards,
> >
> > Our network team is replacing the client's SonicWall devices with
> > Cisco ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall
> > devices were basically used as VPN endpoints in remote offices to
> > be concentrated back to the corporate HQ. All traffic not destined
> > for the local LAN in the remote offices was sent to the corporate
> > office via the "Route all traffic through this SA" functionality in
> > the SonicWall. This worked well for the environment, but now there
> > is the need to replace these devices, and Cisco ASA devices have
> > been chosen.
> >
> > They are now trying to duplicate that functionality via the Cisco
> > devices, but in talking with Cisco TAC, they say such a
> > configuration is not possible, and even if it were, it would not be
> > a security best practice. Implementation of the Cisco device has
> > broken all Internet connectivity from the remote offices, since the
> > only traffic allowed out to/from the Internet is through HQ (with
> > the exception of the site to site VPN traffic to allow connectivity
> > between remote offices and HQ). Remote offices can see everything
> > on the HQ LAN, because the Cisco device is configured with IP
> > information that allows it to route traffic to HQ.
> >
> > I can see some of Cisco's arguments regarding it not being a
> > security best practice, but in the scenario of centralized
> > management and monitoring of Internet-bound traffic, has anyone
> > successfully configured the Cisco devices to mimic the "Route all
> > traffic through this SA" functionality present in the SonicWall
> > devices? I understand they could open up the Cisco devices to allow
> > traffic out from each office, but that would require monitoring
> > every remote office, and deviates from the centralized
> > monitoring/management path we are currently traversing. I haven't
> > personally been involved in this implementation, but was approached
> > by the network team due to my security background, so I can get
> > more details from the network team if necessary.
> >
> > We are simply trying to mimic in the Cisco devices the "Route all
> > traffic through this SA" functionality present in the SonicWall
> > devices.
> >
> > Thoughts?
> >
> > Jeff
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () listserv icsalabs com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards