Cisco asa Hub and Spoke

James Hoggard · ‎11-15-2013

I currently have a IPSEC VPN solutions between 20 sites using CISCO ASA's from 5505, 5510 to 5520 being the main office

Kind of like a Hub and spoke design so everything connects to the main office and some interconnects between smaller offices.

This solution works well however we are growing as a business and at the start of New Year we could have another 5 offices. If I keep going with this design will I run into any problems?

I have seen abit about vti based site to site vpn but don't really get what benefit i would get in using it?

Could use MPLS through an ISP but cost is an issue and i would like to keep it in house.

Thanks

James.

Jouni Forss · ‎11-15-2013

Hi,

I would imagine as the amount of sites increases the L2L VPN setup might get complicated simply by the amount of configurations.

I guess the only other option with the ASA firewalls in use is the use of EasyVPN. The hub site would use a Remote Access configuration for all the different sites to connect to it. To my understanding though the only device model supported as a Remote Site Hardware Client would be ASA5505.

Sadly I have not dealt much with the Cisco IOS VPN solutions but as I understand Dynamic Multipoint VPN would be the most suitable choice when considering a network with multiple sites and traffic between those sites. Naturally this would mean that you would have to change the hardware and I got the picture that this might not be possible because of cost? ASA doesnt support anything else than L2L VPN and EasyVPN that you can use to connect sites together.

I am sure that someone else can better inform you about the DMVPN and other Cisco IOS related VPN solutions.

- Jouni

Marius Gunnerud · ‎11-15-2013

Jouni is correct that the most scaleable solution is the DMVPN. once the Hub is setup then you only need to configure the spokes. This will also allow for tunnels to be dynamically configured between the spoke sites if you like.

As for continuing using the ASAs, then again as Jouni has mentioned we are stuck with L2L VPN and EasyVPN. I have never really liked EasyVPN so my preference would lean toward L2L...but to each his own.

--
Please remember to select a correct answer and rate helpful posts

Marcin Latosiewicz · ‎11-16-2013

To add to excellent info provided by the folks above.

Problem with policy-based VPN (crypto maps in Cisco world) is that you need to establish your traffic selectors explicitly.

i.e. you need to know what traffic is or is not interested for encryption.

VTI solution (which ASA does not support) is route-based VPN, i.e. it allows you to run IPv4 or IPv6 over IPsec and chose traffic for encryption based on routing.

The second type is what make sense to most people and is increasingly more popular, however crypto maps are essentially what is deployed the most and offer best inter-operability (debated by some).

In case of hub and spoke type of deployments on ASA you need to typically look into "local subnet to any" traffic selectors (on spokes) if you want to worry least about adding new subents sites and want to accmodate connectivity between sites over cental VPN.

As Jouni mentions we typically recommend DMVPN or FlexVPN in situations like this, for a simple reason, those solutions are route-based and support dynamic on-demand, direct, spoke to spoke tunnels. Which allow you to reach a better performance and scalability.

Just my 2c.