Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices

["Julian M. Dragut" <julianmd () gmail com>]

Hi Jeff,


To make sure I properly understood the quest:

You have site to site VPN's between brach offices, and branch offices
also function as VPN endpoints. Now, a mobile worker in a brach office
connects to the BO VPN endpoint and you want the traffic destined to
HQ to use the tunnel, right?


Cisco will say no, because you cannot get out through the same
interface you came in (VPN client, VPN tunnel to HQ)

On a Sonicwall, "Route all traffic through this SA" basically adds a
static route just for that SA for the VPN users, and I think you
cannot do that with PIX. Your solution is a proxy in the branch
offices, that will change the source IP of the remote VPN mobile user,
and this will let you go through the VPN tunnel to the HQ.


Julian

On 9/25/07, Behm, Jeffrey L. <BehmJL () bv com> wrote:
> Hello Wizards,
>
> Our network team is replacing the client's SonicWall devices with Cisco
> ASA 5505 (remote office) and 5520 (HQ) devices. The SonicWall devices
> were basically used as VPN endpoints in remote offices to be
> concentrated back to the corporate HQ. All traffic not destined for the
> local LAN in the remote offices was sent to the corporate office via the
> "Route all traffic through this SA" functionality in the SonicWall. This
> worked well for the environment, but now there is the need to replace
> these devices, and Cisco ASA devices have been chosen.
>
> They are now trying to duplicate that functionality via the Cisco
> devices, but in talking with Cisco TAC, they say such a configuration is
> not possible, and even if it were, it would not be a security best
> practice. Implementation of the Cisco device has broken all Internet
> connectivity from the remote offices, since the only traffic allowed out
> to/from the Internet is through HQ (with the exception of the site to
> site VPN traffic to allow connectivity between remote offices and HQ).
> Remote offices can see everything on the HQ LAN, because the Cisco
> device is configured with IP information that allows it to route traffic
> to HQ.
>
> I can see some of Cisco's arguments regarding it not being a security
> best practice, but in the scenario of centralized management and
> monitoring of Internet-bound traffic, has anyone successfully configured
> the Cisco devices to mimic the "Route all traffic through this SA"
> functionality present in the SonicWall devices? I understand they could
> open up the Cisco devices to allow traffic out from each office, but
> that would require monitoring every remote office, and deviates from the
> centralized monitoring/management path we are currently traversing. I
> haven't personally been involved in this implementation, but was
> approached by the network team due to my security background, so I can
> get more details from the network team if necessary.
>
> We are simply trying to mimic in the Cisco devices the "Route all
> traffic through this SA" functionality present in the SonicWall devices.
>
> Thoughts?
>
> Jeff
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


-- 
Best regards,


Julian Dragut
If you knew that you wouldn't fall, how far would you have gone?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards