Showing results for 
Search instead for 
Did you mean: 

Design and professional opinion


I am looking for some professional opinions on how to go about setting up secure connectivity to multiple remote sites.  I figured going to the professional forum is probably the best place to go to see what everyone thinks. 

Here are the requirements.   

       1.  400 to 500 remote sites (some larger and some quite small)

       2.  Must be secure, AES-256 or above  FIPS compliant

       3.  Needs to be Hub-Spoke type connection.   All spokes need to come back to Headquarters for information. 

       4.  Need to be able to manage the connection by way of some sort of NPM

       5.  Call center will need restricted abilities in order to troubleshoot in off-hours(for instance if Lan2Lan, call center can't have full ASA admin access)

       6.  Traffic would need to be initiated from both remote and HQ side, bidirectional.

       7.  Remote site networks are managed by their separate agency.   We can place equipment there, to have them route to,


These are the most important requirements I can think of at this moment.  Most likely, there will be some sort of broadband type connection to each remote site as we are trying to go away from costly dedicated slower circuits from the Telco. 


We have toyed with putting an ASA 5505 at each remote site and creating lan2lan tunnels back to HQ.  Problem with this is,  our call center would require full access to the ASA to reset tunnels.  In addition, monitoring lan2lan tunnels with an NPM has come to be quite a chore and to the best of my knowledge, there's no real great way to do this without finding an IP of something else to ping.  


I am looking forward to hearing your personal opinions as to what the best option would be regarding something of this nature. Again, this is an enterprise type setup and will need something that works and works well.    You guys are super smart and I know you will steer me in the right direction.    Thank you for your help and time in offering your solutions.

1 Reply 1

Collin Clark

You could use DMVPN or probably a better solution would be to use MPLS and DMVPN and create a tiered design (e.g. sites->regions->corporate). There are a million factors with a design and your applications that we can only give you ideas. You can work with your local PSE to come up with a good design.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: