Home / server / Questions / 246214
Accepted
Niclas Lindqvist
Asked: 2011-03-12 05:56:30 +0800 CST

Can I hook a firewall inside a network and VPN connect to another network?

  • 772

I'm wondering what I'd have to do to make the following scenario possible:

 _____________           __________________
|             |         |                  |
|  Network A  |         |  Network B       |
|             |         |     ___________  |
|             ----------====== Network C | |
|             |         |    |___________| |
|_____________|         |__________________|

I.e. I want to tunnel the trafic from Network C to network A through the network and firewall of Network B.

I have
- a Cisco ASA-5510 on Network A
- an unknown setup on Network B
- Requirements of an as small as possible unit on Network C

My current idea is to prime an ASA-5505 and use it as a hardware VPN-client using EZVPN, but I'd like to have a product that's more rugged and industrial, as the unit may work in +40°C areas.

BTW: Never mind my mad ASCII-art skills ;)

vpn firewall cisco ipsec

2 Answers

  1. Best Answer

    What you're talking about is certainly possible, but the "Network B" edge firewall is going to determine how easy that is for you.

    If the "Network B" firewall won't pass IPSEC then you're going to have to use some other type of VPN protocol or encapsulate the IPSEC into another protocol. (Off the top of my head I can't recall if the ASA's can do site-to-site IPSEC over UDP tunnels or not...)

    You're probably going to have a tunnel that can only be initiated in "one direction", too. I'm assuming that the operators of "Network B" aren't going to forward unsolicited inbound traffic from the public Internet to your "Network C" firewall / VPN termination device. If that's the case then the "Network C" firewall will have to be the one that initiates the tunnel with your ASA on "Network A", because unsolicited traffic from "Network A" (i.e. requests to bring up the tunnel) won't ever get to the "Network C" device. As long as you've got something inside "Network C" that can generate traffic and keep the tunnel running this shouldn't be problematic.

    • 2

  2. Depending on what kind of traffic you're sending and how many clients you have on Network C, one of the ASA's SSL VPN options might work. Network B would only need to allow outbound HTTPS, and you wouldn't require any VPN hardware at all.

    They're aimed at a single client PC using them for remote access though, and the most that you'll be able to do will be to forward particular ports for that client PC.

    • 1