cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3339
Views
0
Helpful
4
Replies

HQ and 4 Branches Firewall devices (VPN Connection) topology!

Imma
Level 1
Level 1

Hello all,

I have to create a topology for VPN connection of the branches with the HQ, to access the servers. My question is: Which FW series (ASA, FRP...) to employ at the HQ and which one to the branches. Branches are small offices up to 10 employees.

Specification are as below:

  • Dual WAN ports with automatic fallback
  • IPSec VPN capability (up to 8 simultaneous connections for HQ)
  • VPN licenses (8 connections for HQ, 1 connection for other sites)
  • DHCP Server and Relay DHCP (DHCP relay over VPN)
  • DNS Service

Can anyone advice please?

 

Thank you,

Kind Regards,

Dena

1 Accepted Solution

Accepted Solutions

If you really need to have DNS-services, there is only the IOS router in the cisco portfolio.

If you can live without, my preferences would be:

  1. Cisco Meraki MX on HQ and the branches. These are most easily to setup and the VPN will work instantly.
  2. Cisco ASAs on all sites with manually configured route-based VPN. This will give you also a good firewall for the branches.
  3. IOS routers on all sites. Maximum flexibility but the firewall implementation is most complex compared to the other solutions.
  4. Personally I don't like Firepower Thread Defense as you always need two IPs reachable from your headquarter. One for the Data-Plane and one for management. That can get quite tricky to setup and is a more advanced topic.

View solution in original post

4 Replies 4

If you really need to have DNS-services, there is only the IOS router in the cisco portfolio.

If you can live without, my preferences would be:

  1. Cisco Meraki MX on HQ and the branches. These are most easily to setup and the VPN will work instantly.
  2. Cisco ASAs on all sites with manually configured route-based VPN. This will give you also a good firewall for the branches.
  3. IOS routers on all sites. Maximum flexibility but the firewall implementation is most complex compared to the other solutions.
  4. Personally I don't like Firepower Thread Defense as you always need two IPs reachable from your headquarter. One for the Data-Plane and one for management. That can get quite tricky to setup and is a more advanced topic.

Thank you for your help Karsten,

 

I am not sure if I understood well. If I choose one of four solutions proposed by you, then I have to build a DNS server. Right?

Or should I use ISP /open DNS?

It just means that you can't point your clients to that device to resolve names. Most likely you have a DNS-server inside of your HQ and you can point your clients to that one. With that all clients can resolve your internal resources. Or you could install DNS-servers in each branch. But that could be overkill for 10 employees.

Thank you Karsten. Very helpful indeed.

 

Kind Regards,

Dena

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: