cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

577
Views
0
Helpful
8
Replies
Beginner

VPN Hub and Spoke

Hello guys.

Am working on a project having 14 sites. And design would be like hub and spokes and we will make vpn for site-to-site connectivity.

Now i need to know  about design?

1.CME router --->Firewall--->internet

 or

2. Firewall--->CME router--->internet.

ASA will be doing vpn termination. And i know firewall doesn't support gre and dmvpn. So how i can do hub and spoke.

Regards!

Ansar Javaid 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

If you already have ASA's

If you already have ASA's then put them on the outside.  You'll have to built lots of site to site VPNS as there is no hub and spoke support like on the routers with DMVPN.

8 REPLIES 8
VIP Advisor

Are you committed to using

Are you committed to using ASA's?  I would personally stick with the CME router and use DMVPN.

Perhaps at the head office you can use both - but I'd but them side by side, not one behind the other.

Beginner

Thanks for the help.

Thanks for the help.

Here question arises, there will be some burden of call processing on cme router so why to use it if we have dedicated device for that purposes and all sites have ASA 5512X.

So my question is

1. So if i use cme i have to buy security license and VPN ISM?

if yes then my company will dont let me to make this because they already bought all the material.

2. There is no support hub spok in ASA at all?

If yes then what if i place firewall on the edge? and make dmvpn or gre on cme and let firewall to do encryption for that purposes? Is that possible? 

3. There also some clients who will remotely doing there work, so i will be doing ssl-client as well. So is it possible if i place my router on edge doing nat and firewall responding ssl. Whcih ports do i need to forward then.....

So what you suggest.

Waiting.......

VIP Advisor

If you already have ASA's

If you already have ASA's then put them on the outside.  You'll have to built lots of site to site VPNS as there is no hub and spoke support like on the routers with DMVPN.

Beginner

I got it. Is there ant way to

I got it. Is there ant way to do Hub and spoke without buying anything on router excpt secuty license...

VIP Advisor

You can do MGRE (Multipoint

You can do MGRE (Multipoint GRE) without security.

Beginner

yup you right plain text

yup you right plain text packets.....

Is there a way that i do mgre on router behind frewall and firewall do ipsec for interested traffic?

waiting.........

VIP Advisor

There would be but the

There would be but the complexity is way too high.  You might as well stick with using your ASA's and just build lots of VPNs.

Beginner

Okay, thanks for helping me

Okay, thanks for helping me in clearing my points. Now what you suggest. 2951 cme and 5512 asa with firepower.... We need centralized and remote access both features.

So if u suggest anything will be appreciated..