https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923870#M5528 <P>If you really need to have DNS-services, there is only the IOS router in the cisco portfolio.</P> <P>If you can live without, my preferences would be:</P> <OL> <LI>Cisco Meraki MX on HQ and the branches. These are most easily to setup and the VPN will work instantly.</LI> <LI>Cisco ASAs on all sites with manually configured route-based VPN. This will give you also a good firewall for the branches.</LI> <LI>IOS routers on all sites. Maximum flexibility but the firewall implementation is most complex compared to the other solutions.</LI> <LI>Personally I don't like Firepower Thread Defense as you always need two IPs reachable from your headquarter. One for the Data-Plane and one for management. That can get quite tricky to setup and is a more advanced topic.</LI> </OL> Fri, 13 Sep 2019 12:19:36 GMT Karsten Iwen 2019-09-13T12:19:36Z https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923837#M5526 <P>Hello all,</P><P>I have to create a topology for VPN connection of the branches with the HQ, to access the servers. My question is: Which FW series (ASA, FRP...) to employ at the HQ and which one to the branches. Branches are small offices up to 10 employees.</P><P>Specification are as below:</P><UL><LI>Dual WAN ports with automatic fallback</LI><LI>IPSec VPN capability (up to 8 simultaneous connections for HQ)</LI><LI>VPN licenses (8 connections for HQ, 1 connection for other sites)</LI><LI>DHCP Server and Relay DHCP (DHCP relay over VPN)</LI><LI>DNS Service</LI></UL><P>Can anyone advice please?</P><P>&nbsp;</P><P>Thank you,</P><P>Kind Regards,</P><P>Dena</P> Fri, 21 Feb 2020 17:29:41 GMT https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923837#M5526 Imma 2020-02-21T17:29:41Z https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923870#M5528 <P>If you really need to have DNS-services, there is only the IOS router in the cisco portfolio.</P> <P>If you can live without, my preferences would be:</P> <OL> <LI>Cisco Meraki MX on HQ and the branches. These are most easily to setup and the VPN will work instantly.</LI> <LI>Cisco ASAs on all sites with manually configured route-based VPN. This will give you also a good firewall for the branches.</LI> <LI>IOS routers on all sites. Maximum flexibility but the firewall implementation is most complex compared to the other solutions.</LI> <LI>Personally I don't like Firepower Thread Defense as you always need two IPs reachable from your headquarter. One for the Data-Plane and one for management. That can get quite tricky to setup and is a more advanced topic.</LI> </OL> Fri, 13 Sep 2019 12:19:36 GMT https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923870#M5528 Karsten Iwen 2019-09-13T12:19:36Z https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923899#M5529 <P>Thank you for your help Karsten,</P><P>&nbsp;</P><P>I am not sure if I understood well. If I choose one of four solutions proposed by you, then I have to build a DNS server. Right?</P><P>Or should I use ISP /open DNS?</P> Fri, 13 Sep 2019 13:08:59 GMT https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923899#M5529 Imma 2019-09-13T13:08:59Z https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923912#M5531 <P>It just means that you can't point your clients to that device to resolve names. Most likely you have a DNS-server inside of your HQ and you can point your clients to that one. With that all clients can resolve your internal resources. Or you could install DNS-servers in each branch. But that could be overkill for 10 employees.</P> Fri, 13 Sep 2019 13:24:00 GMT https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923912#M5531 Karsten Iwen 2019-09-13T13:24:00Z https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923913#M5533 <P>Thank you Karsten. Very helpful indeed.</P><P>&nbsp;</P><P>Kind Regards,</P><P>Dena</P> Fri, 13 Sep 2019 13:27:38 GMT https://community.cisco.com/t5/network-security/hq-and-4-branches-firewall-devices-vpn-connection-topology/m-p/3923913#M5533 Imma 2019-09-13T13:27:38Z