Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
4
Replies

Router-to-Router VPN Security

Go to solution
andyaoyao
Level 1
Level 1

‎12-10-2013 11:20 AM

Hi there,

Should we worry about the the security on router-to-router VPN over internet (IPSec) ?

We have two offices.

Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.

Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.

Office B has private subnets that extend to 7 hops away. (running RIP)

If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?

If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?

How do we defend our routers then?

Thanks in advance!

-Andrew

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicholas Carrieri
Cisco Employee
Cisco Employee
In response to andyaoyao

‎12-11-2013 12:59 PM

If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well.  That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

This is a very common deployment method.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
m.kafka
Level 4
Level 4

‎12-10-2013 02:30 PM

Hi,

when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.

The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.

Rgds, MiKa

0 Helpful

Go to solution
andyaoyao
Level 1
Level 1
In response to m.kafka

‎12-11-2013 07:46 AM

Thank you for the advice, Mika!

0 Helpful

Go to solution
Nicholas Carrieri
Cisco Employee
Cisco Employee
In response to andyaoyao

‎12-11-2013 12:59 PM

If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well.  That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

This is a very common deployment method.

0 Helpful

Go to solution
andyaoyao
Level 1
Level 1
In response to Nicholas Carrieri

‎12-11-2013 01:21 PM

Good point, Nicholas!

Why didn't I think of that?  : )

Thanks!

0 Helpful
Customers Also Viewed These Support Documents