Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AnyConnect, ASA 5505, and pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jgatl1979
      last edited by

      Hello All,

      I like the flexibility and ease of use of Cisco's AnyConnect feature, but I like pfSense for everything else.  I am relatively new to both and wanted to configure the ASA 5505 as primarily a VPN device facing WWW.  Behind it, I want to configure pfSense as a firewall which directs traffic according to the IP pool a particular user is using.

      What's my reason for doing this you ask?

      I have a couple of isolated lab/development networks that require external support frequently.  Presently I am using multiple Pix501 devices on each network and I want to consolidate them (6 of them) to all use a single VPN device.  The problem is that I inherited these networks and my predecessor made them all pretty cookie cutter, reusing a lot of the same ip space for each network.  Because of limitations in licensing on my ASA 5505, I'd like to use the NAT'ing, routing, and Firewall features to implement a workable solution without loosing the "coolness" of AnyConnect.

      Wanted to know if anyone has implemented this and if you see any problems with using both the ASA 5505 and pfSense.  A solution not involving IPsec is preferable.

      1 Reply Last reply Reply Quote 0
      • D
        dzeanah
        last edited by

        This might be a silly question:

        Could you come up with a cleaner solution by just removing the 5505 from the equation?  I know it's paid for and all that, but simplicity can be a good thing…

        1 Reply Last reply Reply Quote 0
        • valnarV
          valnar
          last edited by

          Or bump up the license on the ASA5505 to support more vlans.

          Unless you are putting one of the firewalls in a transparent mode, I would not suggest stacking firewalls, mainly because of double-nat.

          1 Reply Last reply Reply Quote 0
          • J
            jgatl1979
            last edited by

            yeah, removing the asa is a cleaner solution, but I loose any connect.  thats the only reason i still want to use it - since pfsense pretty much handles everything else.

            1 Reply Last reply Reply Quote 0
            • B
              bman212121
              last edited by

              I think you'd be better off using PFSense as your primary firewall if you want it to handle network traffic. Use the ASA like it's a server and just have the inside interface listening on port 443 for anyconnect clients and forward that port from PFSense Wan to the ASA. Then you can either use firewall rules to allow / block IP ranges. Better yet if you have vlan support get a license for more vlans and the ASA should be able to put the clients directly on the correct subnet.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.