Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6483
Views
5
Helpful
6
Replies

VPN termination point

Go to solution
Kevin
Level 1
Level 1

‎03-19-2014 07:45 PM - edited ‎03-07-2019 06:47 PM

Hi,

 

Which one is a better design? 

To terminate VPN connection at Router level or Firewall level.

For a case of:  SW----FW---Router?

Based on many review it seems terminating VPN at router level is much more troublesome to configure as compared to terminate at router level.

 

Appreciate any feedback. Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kevin

‎03-21-2014 07:53 AM

For SSL remote access VPN I would suggest terminating it on the firewall. If your outside connection is some connection type that the firewall does not support then it makes sense to have the router on the outside.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-20-2014 06:59 AM

It is not clear to me in your post where the inside network is and where the outside/Internet is. I am guessing that the switch is the inside and the outside is connected at router. Is that correct? I wonder about changing the topology so that the firewall is the connection to outside and the router is inside of the firewall.

 

It is also not clear whether you are talking about remote access VPN or site to site VPN. For remote access VPN I would advise terminating it on the firewall. For site to site VPN I would advise terminating it on the router.

 

HTH

 

Rick

HTH

Rick

Go to solution
Kevin
Level 1
Level 1
In response to Richard Burts

‎03-20-2014 08:32 PM

Hi rick, Yes i am talking about ssl vpn actually. I am just thinking of scenario of vpn whereby there is one wan IP. So i am not sure which is easier to build. Setup router which facing the internet for vpn or firewall behind router for vpn access. Lets say router is in front because the fw does not support certain internet wan port.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kevin

‎03-21-2014 07:53 AM

For SSL remote access VPN I would suggest terminating it on the firewall. If your outside connection is some connection type that the firewall does not support then it makes sense to have the router on the outside.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Kevin
Level 1
Level 1
In response to Richard Burts

‎04-01-2014 09:18 AM

Hi guys,

Ty for the replies.

Currenty the router which internet facing only has one WAN IP address but the SSL remote access VPN is on the firewall which behind the router. 

How can i make remote access user connect to the firewall via public IP since the only way to connect is to the router first.

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kevin

‎04-01-2014 01:21 PM

That is a challenge. Perhaps you might do port forwarding on the router so that SSL was translated and forwarded to the ASA address.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Kevin

‎03-21-2014 07:32 PM

Hi, What's your ISP hand off? Cisco ASA firewall normally has Ethernet ports. Cisco router can also support IOS based SSL VPN. But you'll need a higher platform for this feature and to offlload on router memory and CPU. I would advise to use the ASA firewall to act as the VPN termination point because of the flexible and innate (security level) security function and router to do only WAN/routing functions.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card