07-01-2014 10:09 PM
Hi,
Please could someone help me with this.
We are planning to setup a network with a Head Office and 8 branch offices. All the branch offices have got less than 20 users and they need to access DB server and File server in HO. At present we have got Cisco 1900 ISR on all the branch offices and ASA 5505 in HO. Can we setup a VPN network between these sites. If so how do we design this? Is there a Cisco design documentation to do the same?
Many thanks in advance.
07-02-2014 12:58 AM
07-02-2014 01:08 AM
Hi Yadhu,
you can achieve it via Lan to Lan VPN a kind of hub and spoke vpn where your asa is hub and all other routers are spokes...
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
Regards
Karthik
07-02-2014 07:38 AM
Hi,
Really appreciate your help on this.
I could find Hub-and-Spoke and Full Mesh VPN Topologies on the link http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/3-2-2/user/guide/UserGuide/vpchap.html#wp586112
Please could you let me know if there are some configuration examples available for these two types?
I would like to configure Standard IPsec VPN over the network. Also would like to know how the routing part is configured in this scenario.
Thanks.
07-02-2014 08:07 AM
With the ASA at your head office you cannot use DMVPN as your overlay so we typically fall back to the IPsec LAN-LAN VPN (sometimes referred to as site-site). There are many many configuration examples for this - see, for example, the ones under the heading "Site to Site VPN" here:
http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-configuration-examples-list.html
Withe respect to routing, the simplest method is if the 5505 and the remote site 1900 ISR routers are the default gateway for their respective site. If so, the the access-lists on each device identify traffic destined for one of the remote sites and encapsulate it into IPsec for transmission to the peer's public IP address. At the distant end it is received, decapsulated and passed on the the remote hosts.
07-02-2014 08:39 AM
Hi Marvin,
Many thanks for your reply.
So if I use 1900 ISR in Head Office could I perform a configuration similar to the example mentioned in http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/7912-ios-hub-spoke2.html ?
Also can you advice whether the following is a good approach http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html ?
Or is there any other way I can configure a mesh topology using ISR routers alone (without using ASA)?
Thanks again.
07-02-2014 09:29 AM
Of the two you mentioned just now, the DMVPN is more scalable. The first example is a 7 year old document and many organizations find it much more labor intensive to keep up all of those manually configured access-lists and other configuration bits.
An even more flexible approach, although less well-documented due to its relative age, is FlexVPN. See the FlexVPN data sheet for an overview of its advantages:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html
Here are a couple of FlexVPN configuration examples:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html
Both DMVPN and FlexVPN allow you to route dynamically and establish tunnels in a mesh fashion as needed to reach all the sites, whether spoke-hub or spoke-spoke.
07-02-2014 10:10 AM
Hi Marvin,
Thank you for your help.
I will try FlexVPN and let you know if I face any issues. Your advises are much appreciated.
Many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide