You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.
FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.
If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.
The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big.
On the client side we use 880 Branch Routers which support all needed features.
On the ASA we configure the following (only crypto parts)
Specify the subnets:
access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET
Dear All,We force our users to restricted mode when using YouTube. I do this with the sinkhole func-tionality. It works really well. However, sometimes the users need access to a video which google has put into restricted mode. I tried to whitelist the vi...
Dear Cisco Community, I was doing preventive maintenance on Firepower 7100 series, however I was not able to execute few commands in CLI, please find the snap attached at the end for reference. Below are the command, show versionshow memory...
Hi ,Please give me favor to ask about IPSec return traffic and WAF traffic.I have IPSec network and my branch site have two ipsec tunnel. Tunnel0 is primary point to HUB1 and tunnel 1 is secondary tunnel point to HUB2. I played static route in firew...
Hi Experts, I have couple of doubt. I am planning to do IOS upgrade in ASA firewall. 1. In the device primary is showing as Active and secondary as failed. In this case can I upgrade the IOS in secondary device?2. Normally when I perform I...
Our customer is asking us AAA policy as below: only "domain user + MAC address" can access to their internal network.
Can ISE support the combined the condition like that? We are using the ISE 2.4 Patch 8.
Highly appreciated ...