That confirms what I have

tahscolony · ‎06-10-2015

So did some googlydo and found nothing regarding this question. A vendor recommended using IOS for VPN instead of ASA, as in "best practice". Now considering the vendor also sells the hardware, to me seems like a way to sell more hardware.

So what is the Cisco recommended best practice to VPN? ASA or IOS? Considering there is a future hardware upgrade coming, firewall and VPN, want to make sure I am on the right track.

Marvin Rhoads · ‎06-10-2015

There's no one best practice in this regard. Certain types of VPN are arguably better suited to the ASA platform (remote access, client-based and clientless SSL VPN, site-to-site). Others are best on IOS routers (Flex VPN, DMVPN). In fact those two latter types aren't supported on ASA at all.

A good vendor will analyze your environment and requirements and be able to articulate (and defend) what is the best solution for your organization.

tahscolony · ‎06-11-2015

That confirms what I have been saying all along( I use to design and manage networks for hundreds of companies). I did not see any reason to run remote access and site to site on a router when the ASA supports it better and more securely. The other two types are more suited for hub and spoke, and where sites communicate with each other in addition to the main site, which DMVPN does quite well. I have always used EZVPN from IOS to ASA for sites with dynamic addressing. For sites ASA to ASA always recommended static IP and L2L VPN so more than one network can be tunneled.

In the beginnings of a redesign and wanted to see if there was any reason (other than DMVPN) to use IOS over an ASA for VPN. I couldn't think of anything.

VPN Best Practice-Hardware