Official Support for Multisite Behind SA520 Firewalls?

jeffrey.reese · ‎04-30-2013

I'm at the beginning of a new multisite implementation with two sites. There are existing SA520 firewalls at each site. I have a UC540 and a UC560 with latest software packs and CCA 3.2(2).

I'd like to know if multisite is currently (April, 2013) officially supported by Cisco when the UC devices are behind SA520 firewalls and whether this is configurable using CCA 3.2(2).

I've done multisite in the past in an unsupported configuration via CLI and I'm hoping to go "by the book" as much as possible on this one. I can drop the SA520 firewalls if needed. I have a lot of support procedures built around the SA520 so I have some incentive to keep them in place but not at the expense of running an unsupported configuration.

Any help would be much appreciated.

Darren DeCroock · ‎05-01-2013

Hello Jeffrey,

The way this will be configured depends upon the topology you go with. If you leave the SA520's in place, the VPN connection would be between the SA520's, and the UC500's would not be involved, and this would not be configured using CCA. This is supported, but just not thought the UC500's or CCA.

If you make the UC500's the edge devices, or put them in a DMZ with public IP addresses, then the multisite configuration in CCA can be used, and also is supported.

So, I guess it just depends on which way you want to go. But both topologies are supported by Cisco, but CCA will only be used (For the VPN configuration) if the UC500's are configured with Public IP addresses.

Thank you,

Darren

jeffrey.reese · ‎05-06-2013

Thanks, that's what I was looking for.