07-15-2020 06:59 AM - edited 07-15-2020 07:00 AM
We are in the process of moving one of our departments to a new location where we will need to create a point to point VPN tunnel using an ASA-5505 at the far end and a Palo Alto at our core location. I am much more familiar with configuring the PA than the Cisco ASA and would appreciate some advice. We need to create three new LAN's that will be vlanned out at the new location. Would it be more advantageous to separate these networks by using logical subinterfaces one a single interface or would it be better to use a separate physical interface for each network? What are the pros and cons of one way vs the other? Also we have a cisco voip system with call manager and will be deploying phones to the new location. Anything that should be noted for routing the traffic across the tunnel? -Thanks
07-15-2020 08:51 AM
07-16-2020 01:37 AM
Hello @dbuckley77 ,
for the LAN interfaces the best option is to use a port channel with two member interfaces and having Vlan based subinterfaces of the port channel.
In this way you avoid the single point of failure of a single interface dedicated to a subnet.
For security reason the interface going to the "outside" world should be on a separate interface dedicated to this purpose.
This is recommended to avoid to have the Internet facing Vlan/subnet connected to internal switches.
As a final note you need to check the license of the ASA, three Vlans should not be an issue, the basic license should provide 5. But if you want to add more Vlans later you may need to verify the max Vlan limit .
Hope to help
Giuseppe
07-17-2020 06:17 AM
It just occurred to me that the ASA only has 10/100 intefaces and our ISP circuit will be 600Mbps. How much bandwidth is recommended to run Cisco voip across a vpn?
07-17-2020 07:24 AM
Hello @dbuckley77 ,
you will need a DMZ switch to land the ISP circuit .
For VOIP calls you need to consider roughly 100 Kbps of traffic for the bearer channel not encrypted.
The VOIP RTP packets are really small so you can consider that encryption can double the rate you will need 1 Mbps for every 5 simultaneus VOIP calls.
So bandwidth is not an issue in your case if this is a branch office with only 20-30 IP phones.
The real issue I see is that the ASA 5505 is likely not able to use all this bandwidth 600 Mbps for IPSec encrypted traffic bidirectional.
So on the long term you may want to change it with a newer more powerful firewall.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide