Cisco ASA 5505 Getting Started Guide, 8.0
Deployment Planning
Download this chapter
Deployment PlanningDeployment Planning
Download the complete book
Full Book PDF--Cisco ASA 5505 Getting Started Guide, Version 8.0Full Book PDF--Cisco ASA 5505 Getting Started Guide, Version 8.0 (PDF - 3 MB)
give_us_feedback

Table Of Contents

Deployment Planning

Scenarios for Deployment Planning and Configuration

Scenario 1: Private Network with External Connectivity

Scenario 2: Basic Installation with DMZ

Scenario 3: IPsec Remote-Access VPN

Scenario 4: SSL VPN

Scenario 5: Site-to-Site VPN

Scenario 6: Easy VPN Hardware Client

Where to Find Configuration Procedures

What to Do Next


Deployment Planning

This document is based on several example scenarios that represent typical customer deployments of the ASA 5505. The deployment scenarios in this chapter correspond to subsequent configuration chapters.

This chapter includes the following sections:

Scenarios for Deployment Planning and Configuration

Scenario 1: Private Network with External Connectivity

Scenario 2: Basic Installation with DMZ

Scenario 3: IPsec Remote-Access VPN

Scenario 4: SSL VPN

Scenario 5: Site-to-Site VPN

Scenario 6: Easy VPN Hardware Client

Where to Find Configuration Procedures

What to Do Next

Scenarios for Deployment Planning and Configuration

An extended adaptive security appliance deployment can include two or more of the different deployment scenarios described in this chapter. You can use the scenarios in this chapter to help you determine how you want to deploy the adaptive security appliance on your network, and then determine which configuration chapters apply to you.

Figure 2-1 illustrates an extended network that includes most of the deployment and configuration scenarios included in this document.

Figure 2-1 Extended Network Deployment

Scenario 1: Private Network with External Connectivity

A basic deployment that is typical for a small private network is shown in Figure 2-2.

Figure 2-2 Private (Inside) Network with External Connectivity

In this example, the adaptive security appliance enables all devices on the private network to communicate with each other and enables users on the private network to communicate with devices on the Internet.

Note This deployment is similar to the security deployments using the PIX 501. If you already have a security deployment with PIX 501 security appliances in which devices behind the firewall can communicate internally and externally, you can keep the same deployment and replace the PIX 501 devices with ASA 5505 devices.

For information about how to configure your adaptive security appliance for this deployment, see Chapter 5, "Configuring the Adaptive Security Appliance."

Scenario 2: Basic Installation with DMZ

In this scenario, the adaptive security appliance is used to protect network resources located in a demilitarized zone (DMZ) in addition to the inside network. A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.

HTTP clients on the private network can access the web server in the DMZ and can also communicate with devices on the Internet.

Figure 2-3 Private Network with DMZ

For information about configuring a DMZ deployment, see Chapter 6, "Scenario: DMZ Configuration."

Scenario 3: IPsec Remote-Access VPN

In this scenario, the adaptive security appliance is configured to accept remote-access IPsec VPN connections. A remote-access VPN allows you to create secure connections, or tunnels, across the Internet, which provides secure access to off-site users.

Figure 2-4 IPsec Remote-Access VPN Connection

For information about how to configure an IPsec remote-access VPN deployment, see Chapter 7, "Scenario: IPsec Remote-Access VPN Configuration."

Scenario 4: SSL VPN

The adaptive security appliance supports two types of SSL VPN connections, including:

Remote clients running the Cisco SSL VPN AnyConnect Client software.

Clientless SSL VPN connections, that is, SSL VPN connections established with a remote system running a Web browser.

Figure 2-5 shows an adaptive security appliance configured to accept requests for and establish both types of supported SSL VPN connections.

Figure 2-5 Network Layout for SSL VPN Scenario

Scenario 5: Site-to-Site VPN

In this scenario, two adaptive security appliances are configured to create a site-to-site VPN.

Deploying a site-to-site VPN enables businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or tunnel, first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.

Figure 2-6 Network Layout for Site-to-Site VPN Configuration Scenario

For information about configuring a site-to-site VPN deployment, see Chapter 10, "Scenario: Site-to-Site VPN Configuration."

Scenario 6: Easy VPN Hardware Client

In this scenario, an ASA 5505 is deployed as a hardware client (sometimes called a remote device). Deploying one or more VPN hardware clients in conjunction with a VPN headend device enables companies with multiple sites to establish secure communications among them and share network resources.

Deploying an Easy VPN solution with hardware clients simplifies the deployment and management of a VPN in the following ways:

Hosts at remote sites no longer have to run VPN client software.

Security policies reside on a central server and are pushed to the remote hardware clients when a VPN connection is established.

Few configuration parameters need to be set locally, minimizing the need for on-site administration.

Figure 2-7 illustrates how the different Easy VPN components can be deployed.

Figure 2-7 ASA 5505 Installed as VPN Hardware Client

For information about how to configure the ASA 5505 as a VPN hardware client, see Chapter 11, "Scenario: Easy VPN Hardware Client Configuration."

Where to Find Configuration Procedures

Each deployment scenario in this chapter has a corresponding configuration chapter in this document that describes how to configure the ASA 5505 for that type of deployment.


What to Do Next

Continue with Chapter 3, "Planning a VLAN Configuration."