Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3419
Views
0
Helpful
4
Replies

HQ and 4 Branches Firewall devices (VPN Connection) topology!

Go to solution
Imma
Level 1
Level 1

‎09-13-2019 04:31 AM - edited ‎02-21-2020 09:29 AM

Hello all,

I have to create a topology for VPN connection of the branches with the HQ, to access the servers. My question is: Which FW series (ASA, FRP...) to employ at the HQ and which one to the branches. Branches are small offices up to 10 employees.

Specification are as below:

  • Dual WAN ports with automatic fallback
  • IPSec VPN capability (up to 8 simultaneous connections for HQ)
  • VPN licenses (8 connections for HQ, 1 connection for other sites)
  • DHCP Server and Relay DHCP (DHCP relay over VPN)
  • DNS Service

Can anyone advice please?

 

Thank you,

Kind Regards,

Dena

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎09-13-2019 05:19 AM

If you really need to have DNS-services, there is only the IOS router in the cisco portfolio.

If you can live without, my preferences would be:

  1. Cisco Meraki MX on HQ and the branches. These are most easily to setup and the VPN will work instantly.
  2. Cisco ASAs on all sites with manually configured route-based VPN. This will give you also a good firewall for the branches.
  3. IOS routers on all sites. Maximum flexibility but the firewall implementation is most complex compared to the other solutions.
  4. Personally I don't like Firepower Thread Defense as you always need two IPs reachable from your headquarter. One for the Data-Plane and one for management. That can get quite tricky to setup and is a more advanced topic.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎09-13-2019 05:19 AM

If you really need to have DNS-services, there is only the IOS router in the cisco portfolio.

If you can live without, my preferences would be:

  1. Cisco Meraki MX on HQ and the branches. These are most easily to setup and the VPN will work instantly.
  2. Cisco ASAs on all sites with manually configured route-based VPN. This will give you also a good firewall for the branches.
  3. IOS routers on all sites. Maximum flexibility but the firewall implementation is most complex compared to the other solutions.
  4. Personally I don't like Firepower Thread Defense as you always need two IPs reachable from your headquarter. One for the Data-Plane and one for management. That can get quite tricky to setup and is a more advanced topic.
0 Helpful

Go to solution
Imma
Level 1
Level 1
In response to Karsten Iwen

‎09-13-2019 06:08 AM

Thank you for your help Karsten,

 

I am not sure if I understood well. If I choose one of four solutions proposed by you, then I have to build a DNS server. Right?

Or should I use ISP /open DNS?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Imma

‎09-13-2019 06:24 AM

It just means that you can't point your clients to that device to resolve names. Most likely you have a DNS-server inside of your HQ and you can point your clients to that one. With that all clients can resolve your internal resources. Or you could install DNS-servers in each branch. But that could be overkill for 10 employees.

0 Helpful

Go to solution
Imma
Level 1
Level 1
In response to Karsten Iwen

‎09-13-2019 06:27 AM

Thank you Karsten. Very helpful indeed.

 

Kind Regards,

Dena

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card