Building a VPN with Cisco ASA gear

The organization I work for recently bought a Cisco ASA 5510 and 3 ASA 5505s to replace some SonicWalls we have in a few group homes. They are going to be doing a site-to-site VPN tunnel so that the group homes can access our VoIP phones and also remote desktop into our terminal server. I have tried to test the ASAs from home; I have tried a few things but all were unsuccessful. Any thoughts?
-- Dale L. Bradford

Since you are moving from a different brand of firewall, you will want to work through this in stages. Keep good notes as you work through things, it will serve you well as you become more familiar with getting the firewalls to work.

The first thing I would do is look at the licenses on your respective firewalls. While Cisco refers to the different license levels, I have found the terminology a little different from what you would expect: Assuming the 5510 is a 10 user license and the 5505 have a 5 user license, if you come across VPN link from the 5505 side to the 5510 and call up a complex Web site, you will eat up all the licenses on the 5510 and the VPN connection will appear to fail because of the way licensing is handled on the Cisco ASA devices. So check the licenses between the ASAs that you have: If you have the 3 ASA 550s with a 10-user license installed on each one, you will want to add that license count to the number of users at the main office for the total license for the 5510. Assuming you have 20 users at the main office, you would want to have a license installed of at least 50 users on the ASA 5510. You may find that a higher license count is necessary on the 5510; you'll need to do some testing to know for sure. You won't really see this explained in the documentation, unfortunately.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The organization I work for recently bought a Cisco ASA 5510 and 3 ASA 5505s to replace some SonicWalls we have in a few group homes. They are going to be doing a site-to-site VPN tunnel so that the group homes can access our VoIP phones and also remote desktop into our terminal server. I have tried to test the ASAs from home; I have tried a few things but all were unsuccessful. Any thoughts?
-- Dale L. Bradford

Since you are moving from a different brand of firewall, you will want to work through this in stages. Keep good notes as you work through things, it will serve you well as you become more familiar with getting the firewalls to work.

The first thing I would do is look at the licenses on your respective firewalls. While Cisco refers to the different license levels, I have found the terminology a little different from what you would expect: Assuming the 5510 is a 10 user license and the 5505 have a 5 user license, if you come across VPN link from the 5505 side to the 5510 and call up a complex Web site, you will eat up all the licenses on the 5510 and the VPN connection will appear to fail because of the way licensing is handled on the Cisco ASA devices. So check the licenses between the ASAs that you have: If you have the 3 ASA 550s with a 10-user license installed on each one, you will want to add that license count to the number of users at the main office for the total license for the 5510. Assuming you have 20 users at the main office, you would want to have a license installed of at least 50 users on the ASA 5510. You may find that a higher license count is necessary on the 5510; you'll need to do some testing to know for sure. You won't really see this explained in the documentation, unfortunately.

Once you've dealt with the license issue, connect the two WAN ports together between the ASA 5510 and one of the 5505s. You may need to use a crossover cable to get link between the two firewalls. You can also try putting a switch between the two ASAs - a Layer 3 switch would be ideal, or try a router with 2 Ethernet interfaces. This will let you assign different IP addresses from different subnets to the respective ASAs you are testing. Set up a site-to=site VPN connection. Make sure that you can route properly between the two ASAs and can see all of the systems on each side of the connection. This will help you get a feel for setting up a VPN connection.

What you do next depends on how you want to get the sites connected. If you only want traffic intended for the servers at your main location to come across the VPN tunnel and allow the remaining Internet traffic to go out over the local connection directly, you will want to set up a split-tunneling configuration. This configuration will mean a little more maintenance work since you will have multiple sets of firewall rules to maintain. Forcing all the traffic back to the main office before allowing it to go out over the Internet will mean that the remote house locations will use the bandwidth you have twice, once for the incoming connection from the remote site and again for the resources on the Internet they are trying to access.