cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
404
Views
10
Helpful
13
Replies
Highlighted
Beginner

VPN Connectivity

Hi,

I have a headoffice location to which I want to connect multiple small locations(branch offices) in different geographic locations. At my head office I am using one cisco router behind which I have my firewall.

My question is when I create VPN between my headoffice and other office site, the VPN tunnel should be bettween the two routers(headoffice and branch office) or will it be between the firewalls. Kindly help.

Thanks in advance.

 

Regards,

Keshav Methi

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Keshav

 

One of the basic requirements for establishing a VPN is that the devices need IP connectivity to each other. If the firewall at the head office is behind the router and the router is doing address translation can the VPN device at the branch office send traffic that gets to the firewall? In most implementations where the firewall is behind a router and the firewall has a private IP then the remote is not able to initiate traffic to the firewall. This is the reason why I suggest that the VPN probably should be to the router at the head office. If you are saying that the branch VPN device can initiate traffic and get to the head office firewall then it may be possible to have the VPN on the firewall.

 

There would be some limit for the number of VPN supported on the router. The limit would vary depending on the particular model of router and how much memory is installed on the router (and what features are running on the router). Obviously running a VPN imposes some processing load on the router. When you add multiple VPNs there comes some point at which the router does not have enough resources available to support another VPN.

 

As I said before if there is some reason why you want to run VPN over MPLS then it should run fine.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Highlighted

Regarding VPN over mpls network, I am not sure whether to implement it or not. I just read it somewhere.

Just to add to Rick's replies.

MPLS is a private WAN and from my experience the majority of companies do not encrypt over MPLS nor do they firewall their MPLS connections.

It is true that the SP can see your traffic but that has always been the case with virtually all private networks and if that is a concern then it is probably better to be looking for a new SP.

Some companies have vey strict security requirements and so they may well decide to either firewall and/or encrypt even across their private WAN but again, from my experience, that is the exception rather than the norm.

Jon

 

View solution in original post

13 REPLIES 13
Highlighted
Participant

Hello, Keshav. 

Most routers today has built in Firewall/VPN features. Sometimes, deploying a Firewall for your smaller office is a cost effective solution to connect them on your network. What kind of router are you using in your head office?

Let me know if you have additional concerns or e-mail (adawa@cisco.com) me directly. Kind regards. 

Highlighted

Keshav

 

We do not have enough information to give you a good answer. In particular we need to know whether the firewall at the head office has a public IP on its outside interface or a private IP address. If the address is public you could have VPN from either as you choose. But if the firewall has a private address (the router is doing address translation in passing traffic from outside) then the VPN must be from the router which has the public address.

 

HTH

 

Rick

HTH

Rick
Highlighted

Hi Guys,

Thankyou for your response. I am using Cisco 2951 series router.

Rik,

I have not decided whether the address translation will be on router or firewall. What I understand from you is "if i am implementing NAT on router than the VPN tunnel shall start from router. if I am implementing NAT on firewall then VPN tunnel shall start on firewall" Can you explain me the reason for this?

Another question is, can I have router at one end(Head office) and firewall at another end(branch office) and have a VPN tunnel between them? Does the branch office need router?

 

Further to above, can I have VPN tunnel over MPLS network as well?

 

Regards,

Keshav Methi

Highlighted

Keshav

 

One of the main requirements of a site to site VPN is that both peers have IP connectivity to each other. So if the firewall has a public address then it could function as the VPN peer. But if the firewall has a private address (and the address translation is done on the router) then the firewall can not be the VPN peer and it must peer with the router.

 

As to your other questions.

- Yes it works fine to have a site to site VPN between a firewall on one side and a router on the other side.

- It should work fine to have VPN over MPLS, though since MPLS is generally designed to provide the functionality of a private network to the participants I am not sure why you would want VPN over an MPLS connection.

 

HTH

 

Rick

HTH

Rick
Highlighted

Hi Richard, Thank you for your valuable response. Coming back to my first question, I have IP connectivity between firewall and router though router is Doing the address translation. What is the reason that you are advising me to implement VPN on router instead of firewall. Further, is there any limit for router regarding how many site to site VPN tunnel I can make. Regarding VPN over mpls network, I am not sure whether to implement it or not. I just read it somewhere.
Highlighted

Keshav

 

One of the basic requirements for establishing a VPN is that the devices need IP connectivity to each other. If the firewall at the head office is behind the router and the router is doing address translation can the VPN device at the branch office send traffic that gets to the firewall? In most implementations where the firewall is behind a router and the firewall has a private IP then the remote is not able to initiate traffic to the firewall. This is the reason why I suggest that the VPN probably should be to the router at the head office. If you are saying that the branch VPN device can initiate traffic and get to the head office firewall then it may be possible to have the VPN on the firewall.

 

There would be some limit for the number of VPN supported on the router. The limit would vary depending on the particular model of router and how much memory is installed on the router (and what features are running on the router). Obviously running a VPN imposes some processing load on the router. When you add multiple VPNs there comes some point at which the router does not have enough resources available to support another VPN.

 

As I said before if there is some reason why you want to run VPN over MPLS then it should run fine.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Highlighted

Keshav

 

I am glad that my answer was helpful. Thank you for using the rating system to mark this question as answered. This helps other readers in the forum to identify discussions that have helpful information. I hope to see you continue to be active in the forum.

 

HTH

 

Rick

HTH

Rick
Highlighted

Hi Rick,

 

I had a discussion with a technical person for firewall deployment. He is recommending to deploy VPN over firewall instead of router. As per him if the VPN is not configured over firewall then the firewall will be deployed in bridging mode wherein HA is not supported. I am lost here. Kindly help me to understand the bridging mode and gateway mode deployment of firewall and how are they relevant in our discussion.

Thanks in advance,

Regards,

Keshav 

 

 

Highlighted

Keshav

 

I am assuming that when that person talks about bridge mode that he is actually talking about deploying the ASA in transparent mode. I found this explanation about transparent mode in Cisco documentation "A transparent firewall, is a Layer 2 firewall that acts like a bump in the wire, or a stealth firewall, and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports." The ASA can have an IP address for management but there is no IP address on the interfaces where traffic passes through. Since the ASA is not processing layer 3 on the interfaces where traffic is passing through you would not be able to use it as a VPN peer. So I agree that if it is a transparent implementation you could not use it for VPN. I do not agree with him that HA is not supported in transparent mode. The link that I am posting is quite clear that failover is supported in transparent mode. I also question his assertion that if the VPN is to the router that the ASA must be deployed in transparent mode.

 

If you want more detail about transparent mode see this link

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110740-asafailover-transparent-mode.html

 

HTH

 

Rick  

HTH

Rick
Highlighted

Hi Rick,

Thankyou for your valuable resonse. I will keep those points in mind.

 

Regards,

Keshav

Highlighted

Regarding VPN over mpls network, I am not sure whether to implement it or not. I just read it somewhere.

Just to add to Rick's replies.

MPLS is a private WAN and from my experience the majority of companies do not encrypt over MPLS nor do they firewall their MPLS connections.

It is true that the SP can see your traffic but that has always been the case with virtually all private networks and if that is a concern then it is probably better to be looking for a new SP.

Some companies have vey strict security requirements and so they may well decide to either firewall and/or encrypt even across their private WAN but again, from my experience, that is the exception rather than the norm.

Jon

 

View solution in original post

Highlighted

Hello Keshav!

How is this project going? 

You might want to consider Cisco ASA 5505 for your VPN connection on your branch locations. This will also give you high performance firewall, SSL and IP Sec VPN. This will also give you additional security in your network. You may check additional information about this at the link provided.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733510.html

Hope this helps!

Kind regards.

Highlighted

From the OP -

Thankyou for your response. I am using Cisco 2951 series router.

At least read the OPs answers before trying to sell him kit he doesn't need :-)

Jon

Content for Community-Ad