Showing results for 
Search instead for 
Did you mean: 

Confused about site to site VPN

Hi all


We have a new project which requires a second site, we want to use a VPN tunnel to connect to Site A to Site B we currently have in Site A the following:

2x Cisco asa 5525-x 

3x Mcafee S4016's 


My colleague seems to think that our firewalls have the ability to create a VPN to both Site A and Site B.


I'm aware of GRE tunnels and our contractor had also decided that would be our best option, but we are currently in the process of replacing our core Cisco switches with Dells. 


Are the Firewalls capable of doing VPNS? 


The FWs will have no problem in doing site to site VPNs,  


The ASA is capable of running ipsec VPNs.  I can't recall if they can do GRE or not.  


Positive of GRE/IPSEC:  You only need to permit GRE traffic across the IPSEC as opposed to any sort of subnet/host pairs that you need in the encryption domain.  This also allows you to use a routing protocol in the event of site expansion without having to touch the encryption domains.  


IPSEC:  you know exactly what's allowed to cross the tunnel as you had to setup all the pairs.  


Hi thanks for the reply really appreciate it :) 


Regarding the ASA, is having them run VPNs best practice or? does it matter if we have it in a DMZ zone which is gets NAT'd? 


I can draw a diagram if it will be clearer. Let me know 

diagram will be better of course


and asa 9.4 probably supports gre


I am not shure in your design

Hi, sorry for the late response please see the link below regarding a basic outline of our design.

I see a router connected the WAN. Is it a Cisco router? What do you have in your second site? 

Hi, this is our SDP we don't have control over this. 

Masoud Pourshabanian

You can not terminate GRE on your ASA. What do you have at the edge of your both sites?It will be more obvious If you share you topology.

if ASA is located at the edge, you can have site to site IPSEC . IPSEC is a standard protocol, so you are able to make site to site IPSEC on your ASA in site A and on your other device(IPSEC compatible) in site B. You also able separate GRE and IPSEC. You can  have GRE tunnel between two devices located before ASA and then ASA can perform encryption(if ASA is just for WAN security)


IF you have Cisco devices at the edge your sites, you can have both GRE and IPSEC on Cisco. In this case, you can propagate your routes easily on GRE tunnel. And ASA can be used for both LAN and WAN security(depending on the size of your network)


Hope it helps.