Please could someone help me with this.
We are planning to setup a network with a Head Office and 8 branch offices. All the branch offices have got less than 20 users and they need to access DB server and File server in HO. At present we have got Cisco 1900 ISR on all the branch offices and ASA 5505 in HO. Can we setup a VPN network between these sites. If so how do we design this? Is there a Cisco design documentation to do the same?
Many thanks in advance.
you can achieve it via Lan to Lan VPN a kind of hub and spoke vpn where your asa is hub and all other routers are spokes...
Really appreciate your help on this.
I could find Hub-and-Spoke and Full Mesh VPN Topologies on the link http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/3-2-2/user/guide/UserGuide/vpchap.html#wp586112
Please could you let me know if there are some configuration examples available for these two types?
I would like to configure Standard IPsec VPN over the network. Also would like to know how the routing part is configured in this scenario.
With the ASA at your head office you cannot use DMVPN as your overlay so we typically fall back to the IPsec LAN-LAN VPN (sometimes referred to as site-site). There are many many configuration examples for this - see, for example, the ones under the heading "Site to Site VPN" here:
Withe respect to routing, the simplest method is if the 5505 and the remote site 1900 ISR routers are the default gateway for their respective site. If so, the the access-lists on each device identify traffic destined for one of the remote sites and encapsulate it into IPsec for transmission to the peer's public IP address. At the distant end it is received, decapsulated and passed on the the remote hosts.
Many thanks for your reply.
So if I use 1900 ISR in Head Office could I perform a configuration similar to the example mentioned in http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/7912-ios-hub-spoke2.html ?
Also can you advice whether the following is a good approach http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html ?
Or is there any other way I can configure a mesh topology using ISR routers alone (without using ASA)?
Of the two you mentioned just now, the DMVPN is more scalable. The first example is a 7 year old document and many organizations find it much more labor intensive to keep up all of those manually configured access-lists and other configuration bits.
An even more flexible approach, although less well-documented due to its relative age, is FlexVPN. See the FlexVPN data sheet for an overview of its advantages:
Here are a couple of FlexVPN configuration examples:
Both DMVPN and FlexVPN allow you to route dynamically and establish tunnels in a mesh fashion as needed to reach all the sites, whether spoke-hub or spoke-spoke.
Thank you for your help.
I will try FlexVPN and let you know if I face any issues. Your advises are much appreciated.