We have two geographically distant networks locations and are thinking about introducing a new network architecture utilizing two CISCO ASA 5505s. I'm looking for a review and confirmation whether this architecture is achievable with these two CISCO ASA 5505 Firewalls. I want to be sure this equipment matches our requirements before we make the purchase.
The network should look like this:
Location 1 public servers (on vmware ESXi 4.x)
========== | (VLAN 1 — DMZ)
Public access ----> +----------------+ --------+
Mobile worker ----> | CISCO ASA 5505 |
Internet <---- +----------------+ --------+
^ |
| private servers (on vmware ESXi 4.x)
| (VLAN 2)
| IPsec tunnel (VLAN 2)
|
Location 2 |
========== v
+----------------+
Internet <---- | CISCO ASA 5505 | --------+
+----------------+ |
LAN workstations and servers
(VLAN 2)
In Location 1 we have a bunch of virtualized servers running on a couple of physical machines with vmware ESXi 4.x. Several VMs are accessible from the internet by the public and hence need to be placed in a DMZ. Also, our employees that need remote access shall be able to connect with the CISCO VPN client to Location 1's ASA. The required authentication method is with our Windows-based CA's issued user certificates.
The bundle for Location 1 will be ASA5505-UL-BUN-K9.
In Location 2 we have just workstations and some local servers. However, mobile workers that access Location 1 via VPN need to gain access to machines running in Location 2, so routing from Loc. 1 to Loc. 2 must be configured. VPN access directly to Location 2 is not required, but is nice to have in the future.
The bundle for location 2 will be ASA5505-50-BUN-K9.
Both locations shall be connected by a secure transparent tunnel (e.g. IPsec, AES encryption, pre-shared key most likely).
Particular questions:
- There is a limit on the number of licensed VPN connections. By default, ASA 5505 has 2 SSL VPNs and 10 “remote access” VPNs. Which of these two limits applies when the CISCO VPN client is used? Note that 10 is enough for us, however 2 isn't.
- VPN connection limit is floating (=currently used) or named (per-assigned-user)?
- Is it really possible to utilize certificate-based authentication for VPN connection and will it work with a Windows-based Certification Authority?
- Are there any viable, more cost-effective alternatives to ASA 5505 for Location 2, providing same security, similar routing capabilities? Integrated WiFi access point is a plus.
Environment:
- Most servers run Windows Server 2008 R2 x64.
- Workstations run Windows 7 x64.
- There's a single Windows domain.
- vmware server 4 or vmware ESXi 4 for virtualization.
- IPv4
Any other hints or recommendations are appreciated. If you find it appropriate, recommend any network equipment from alternative vendors as well.
I'm not a networking expert and haven't worked with CISCO's equipment for a while, so please ask for any clarifications as needed.
The standard Cisco VPN client is IPSEC, and uses a "remote access" VPN license. The SSL VPN is a clientless VPN and not worth much, unless you purchase the AnyConnect SSL VPN licenses
VPN licenses are per VPN peer, and for a mobile access setup it's "concurrent connections."
I don't know the answer to this for sure, but my gut feeling is "yes."Yes, Microsoft CA supported.
I connect Cisco ASAs to various other firewalls via Site to Site IPSEC VPNs quite frequently, so anything that supports the IPSEC VPN standard would be an alternative for site 2.