ASA 5520 with multiple inside/outside VLANs for VPN termination

All,

I was hoping to get some confirmation that this will work as I've never tried it.

My Scenario: ASA 5520 that hasn't arrived yet.

Multiple outside VLANs as bandwidth contracts/SLA vary between partners: Partner A Partner B Corp

Multiple inside VLANs at our edge corresponding to these partners with traffic separation within our campus: Partner A Partner B Corp

I would like to be able to terminate VPNs on the outside using multiple logical interfaces corresponding to the outside VLANs. I would like these VPNs to flow through to the appropriate logical interface corresponding to the VLANs on the inside. Basically I am guaranteeing that the VPNs for any given partner are terminated using bandwidth allocated to them as the ISP handles the bandwidth allocations by providing us the outside VLANs.

Anyhow, I am assuming I would just set this up like any other VPN arrangement terminating my tunnels on the appropriate logical 'outside' interfaces. I am then assuming that traffic would flow properly based on the ACLs used for the match addresses as traffic would be recognized as being local to the appropriate logical 'internal' interfaces. There is no IP overlap on the 'inside'. Will this work? Do I have to take any other steps to ensure traffic separation? Thanks!

-Kevin

Reply to
maxprophet
Loading thread data ...

Since you are going with the 5520, why not look into running your firewall in context mode. Which is basically creating separated logical firewalls within your one piece of hardware. Then you can technically have a separate FW for each partner and your corp network. Separate IPs, routes, administrators, VPN configs, everything.

Reply to
Anthony

Be carefull with context mode . Some features are not supported especially VPN;

"Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. "

ref:

formatting link

Reply to
mcaissie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.