Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
1
Helpful
12
Replies

Placement of VPN Router

King_1988
Level 1
Level 1

‎01-07-2024 07:46 PM - edited ‎01-07-2024 08:05 PM

Hi,

We have spare router, as per management decision we have to use it as VPN router. Can you please help me where we can fit this in our topology. We want to place it between Core router (ISR-4331) and Core Firewall (FTD-2130) and Core router is currently connected to ISP. How we can make it work (Routing) or any other suggestion?

King_1988_0-1704685208146.png

 

Labels:
0 Helpful
12 Replies 12

MHM Cisco World
VIP
VIP

‎01-07-2024 11:39 PM

VPN meaning 
Site to Site 
or 
Remote Access
MHM

0 Helpful

King_1988
Level 1
Level 1
In response to MHM Cisco World

‎01-08-2024 01:10 AM

Only For Remote-Access

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-08-2024 12:01 AM

What Core Router is this ? do you have any Additional Interface on that Router - so i suggest to connect as below :

balajibandi_0-1704700752765.png

On the Core Router you can do NAT ( or if you have more Public IP address you can use).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

King_1988
Level 1
Level 1
In response to balaji.bandi

‎01-08-2024 01:10 AM - edited ‎01-08-2024 01:14 AM

Thanks. In this case, for VPN router one-leg should be connected to Core Router and other to Core Firewall right?

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to King_1988

‎01-08-2024 02:04 PM

Personally you do not required to have dual legs, you can use single leg connection to achieve that for RA VPN.

but if you have more ports available you can also achieve both models

Router required throughput license - base is only limited to certain check the documents.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

King_1988
Level 1
Level 1
In response to balaji.bandi

‎01-08-2024 01:22 AM

Yes NAT is happening on Core Router. Should we place like below?

King_1988_1-1704705517333.png

 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎01-08-2024 01:31 AM

Screenshot (70).png

0 Helpful

King_1988
Level 1
Level 1
In response to MHM Cisco World

‎01-08-2024 02:19 AM

Thanks. Can you please guide us how we can ensure routing part and VPN part to make this thing working?

MHM Cisco World
VIP
VIP
In response to King_1988

‎01-08-2024 02:56 AM

for VPN part I dont know what you meaning. 
you use router as VPN RA so what is RA you meaning ?
for routing 
the VPN Pool subnet config in VPN router 
in FTD config route to VPN subnet toward the VPN router 
in VPN router config default toward the Edge route 
in VPN router config route for internal subnet toward FTD 

MHM

0 Helpful

Karsten Iwen
VIP
VIP

‎01-08-2024 01:38 AM

The proposed solution is my personal favorite if there is already a redundant setup. But if not, you need two ports on the Core router, which is often unavailable. Adding a switch just for this purpose adds another single point of failure. In this case, I would place the router one-armed or two-armed directly on the firewall.

But as you mention remote-assess VPN, I would rethinking this approach as the the FTD is much more powerful than the ISR when it comes to RA-VPN.

0 Helpful

King_1988
Level 1
Level 1
In response to Karsten Iwen

‎01-08-2024 02:01 AM

But for this FTD,  it does not have VPN license

0 Helpful

Karsten Iwen
VIP
VIP
In response to King_1988

‎01-08-2024 02:33 AM

Then it is more than likely that you don't have a valid Cisco Secure Client License at all. You need this regardless of the VPN platform.

0 Helpful
Customers Also Viewed These Support Documents