Thanks for the reply.

Yes we do have the VPN termination at Europe. Right now we are routing our VPN traffic to Atlanta which is not feasible as per bandwidth constraints.

Let me know your thoughts. Also at atlanta we are refreshing the Juniper and replace it with cisco.

Hello.

>>Let me know your thoughts

Sorry, but what is your question?

Sorry. I meant for 200 user base in germany. We want to create a VPN termination point as well as do some nating and want to acheive failover for hardware. Should we go for 2 ASAs with standby/active pair to acheive firewall redundancy. We already are having 2 WAN router over there. Can you elaborate on the placement of the ASA in the exisiting infrastructure.

Hello.

What do you use 2 WAN routers for?

What type of VPN do you use (terminated on Juniper only?)?

Do you use IPSec between the sites only, or remote users are connecting with VPN solution as well?

What is the Internet link bandwidth per location?

Do you have any special requirements for DMZ (like different zones and tiers)?

How the routing (between the sites) is done (static/dynamic, what protocol)?

Do you run multicast?

PS: do you have any diagrams?

What do you use 2 WAN routers for?

Both wan routers are connecting to mpls sites and also running as dmvpn clients connected to dmvpn hub for failover of mpls.

What type of VPN do you use (terminated on Juniper only?)?Do you use IPSec between the sites only, or remote users are connecting with VPN solution as well?

Right now everyone all over the company are vpn into datacenter for remote access. we are utilizing site to site only for connecting to our customers. Remote users vpn into the juniper box and we want to replace it with the cisco ASA. let me which solution would be most viable solution.

What is the Internet link bandwidth per location?

mpls average for remote sites 5mbps main site 50mbps

dmvpn as backup through redundant link via high speed internet business ADSL average 5mbps to 10mbps

Do you have any special requirements for DMZ (like different zones and tiers)?

yes we require DMZ. Also a structure approach like putting a firewall between every tier pretty much documented in cisco SAFE. with this in mind where would be the ideal placement of firewall at main site as well as at german site. main site is running nexus 7k in the core with ISR G2 as the WAN routers. I have attached the image for german site.

if people are vpn using anyconnect to access resources should the ASA be placed at the facing internet or should it be fine behind the wan router. will this serve the purpose. we want to acheive failover so i am guessing 2 ASA with active/standby would serve the purpose. Again where would the ASA be placed in the diagram attached.

How the routing (between the sites) is done (static/dynamic, what protocol)?

we are running eigrp as internal routing protocol and running bgp interfacing with the service provider through mpls cloud. we are running seperate eigrp process for dmvpn which we are using as backup for mpls.

Do you run multicast?

yes we utilizing it for video conferencing

Hello.

So, you are using Juniper for remote access workers and want to replace it with ASA. The question is: what type of remote assess do you use and if it's supported by ASA?!

Site to site VPN may be terminated by routers or by ASA (depend on routing and security requirements).

Regarding ASA placement:

 - routers are more flexible in terms of last mile type, but if you have ADSL, I'm not sure if ASA could handle it without router;

 - fo sure ASA must separate your internal LAN from Internet and DMZ, but it's not clear if you want to put ASA between the LAN and your customers (and remote access workers);

 - if you run ASA HA and use it as CE, then you would need some L2 switch to connect WAN link and 2 ASA interfaces.

My only concern is that putting the ASAs behind the router would be ideal solution but could we acheive site to site to ASAs as well as client access vpn. For eg. client connects to VPN device ie ASA and it should work. So should we think something like VPN concentrator will do remote client vpn / site to site vpn. Sorry I am kinda new with design hence pestering with so many questions.

Hello.

If you put ASA behind the router[s], then you would need some public IP-address range to be routed over the CE (probably provider dependant).

With public IP-address been assigned to ASA you will be able to do site2site VPN and remote client VPN.

I assume you will configure WAN router's interface facing to PE and ASA in dedicated VRF (to separate raw Internet from internal network).

Thank you for your response. I am planning to use 2 Wan routers at the internet and mpls at the edge. Model used is ISRG2 2911. Then I would plan to put 2 ASAs 5515x with security plus for internet and will serve as firewall and other one will as VPN termination point. ASA are going to be behind the WAN routers and connected to layer 2 switch to be configured for lan failover for high redundancy.

My question to you is can i perform a active/standby for high availability considering same hardware with 2 roles one does VPN and other does firewall/Internet function?

If yes does that mean any config changes are replicated to other ASA through LAN failover link.

In this situation what would we use firewall in routed mode or transparent mode?

Thanks in advance.

Hi vreddy002,

have you already spoken to your Cisco rep regarding this setup concerns that you have? you can perform the active/standby mode on one of your ASA but the config changes on one would reflect on the other once you pass on the config to the standby ASA. if you have any concerns or any other questions regarding this deployment please send me an email at fguasque@cisco.com. hope this helps!

Thanks,

Ferdinand Guasque