Hi. Wanted to ask for opinions, suggestions, and experience on this. We have a Cisco ASA VPN Device from our vendor and we'll need to connect this to our PA-3220 FW. So basically, Internet --> PA3220 ---> ASA VPN --> LAN. This ASA will be inside our network and NOT remote. I would like to know if there is a way to connect this and make it work without creating an IPSec tunnel? Any suggestion will be greatly appreciated. Thank you!
What about a simple layer 3 setup (as you are asking for something without vpn)? You create a either a vlan between the two firewalls or then route the network behind the ASA through your existing internal network towards the 3220 where you have the internetconnection.
Thank you for your suggestion. It's very interesting coz while awaiting for replies, I'm doodling different config/placement scenarios on paper and one of them is what you have suggested. Now that I know I'm not going crazy and someone has the same theory, I will definitely test your suggestion later this evening. Thank you very much for your suggestion.
We actually have an office setup like this because they were using the ASA for VPN for a bit. Essentially how it was configured was how @vsys_remo already mentioned; the ASA was a standalone layer3 connection that didn't perform NAT on the AnyConnect addresses and just routed them to the layer3 interface with an 'AnyConnect' zone on the firewall. Then the firewall simply has static routes telling it to route traffic for the AnyConnect IP pools back to the ASA.
This configuration essentially allowed us to "ignore" the ASA and treat it as a termination point. All security policies were handled by the PAN firewall and the ASA was essentially just a dumb VPN concentrator for AnyConnect purposes.
@BPry Thank you for sharing your experience on this. And appreciated both @vsys_remo of your insights. I have made the changes in the firewall and connected one of the two VPN devices for testing. Yes sir I have two of these third-party VPN devices that I need to connect to 3220; both came pre-configured so I can't even see its configuration. I asked the vendors to recheck their configs but I have not heard any feedback yet. Again thank you for both and I will update when successful. Many Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!