Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
5
Helpful
1
Replies

Cisco VPN option for data center ASA to 100+ stores (basic ISP with dynamic changing WAN IP)

Go to solution
edsge teenstra
Level 1
Level 1

‎01-03-2017 07:47 AM

Hello cisco experts. 

We are searching for a Cisco hardware VPN system from the data center to provide tunnels to more then 100 stores.

  • The tunnels are used for the communication of the electronic cash desks , the debit card transactions will have to go true the tunnels to the server in the data center.
  • All the stores have a collection of different ISP's , these provide basic internet subscriptions with dynamic changing WAN IP addresses.
  • The network equipment varies from Experia box to Fritzbox and different type of ZTE or Huawei modems. So there is not much room for config and tweaking on this limited PE equipment on the different locations , also these modems have no support for VPN.

After asking around i was told that the Cisco EASY VPN server and Cisco EASY VPN remotes will not work due to the double NAT and the client that will have to send a sort of icmp/ping message , this message will not arrive to the Easy VPN server because of the double NAT... < is this true and if yes is there no way around this ?

  1. Will dynamic multipoint vpn (DMVPN) work ?  We want to use refurb CISCO871-K9 routers in the stores behind the ISP PE devices.. these routers have support for DMVPN with the Advanced IP services feature set. (CISCO871-SEC-K9) . And we want a ASA5540-BUN-K9 or ASA5550-BUN-K9 in the data center.
  2. Are the Easy VPN software clients a good option , is this really as safe as only hardware VPN tunnels and will this work behind a these ISP modems without issues ?
  3. What does a typical store generate in data kbps ? ...  when doing debit card transactions ?

I look forward to some real environment examples and hints and tips.

Thanks in advance.

Edgse

 General Overview
Q. What is Cisco ® Easy VPN?
A. Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and security appliances. It greatly simplifies VPN deployment for remote offices and mobile workers. Cisco Easy VPN is based on the Cisco Unity ® Client Framework, which centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN deployments. There are three components of the Cisco Easy VPN solution: Easy VPN Client, Easy VPN Remote, and Easy VPN Server.
Q. What is Cisco Easy VPN Client?
A. The Cisco Easy VPN Client enables mobile workers to create a remote-access VPN connection to a Cisco Easy VPN Server. Cisco Easy VPN Client refers to the Cisco VPN Client, which is also commonly referred to as the Cisco Software VPN Client. For more information, please visit http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html.
Q. What is Cisco Easy VPN Remote?
A. The Cisco Easy VPN Remote enables Cisco routers and security appliances to establish a site-to-site VPN connection to a Cisco Easy VPN Server without complex remote-side configuration. Cisco Easy VPN Remote is also commonly referred to as a hardware client. For more information, please visit http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftezvpnr.html.
Q. What is Cisco Easy VPN Server?
A. The Cisco Easy VPN Server accepts connections from Cisco Easy VPN Client and Remote, ensures that those connections have up-to-date policies in place before the connections are established. All Cisco Easy VPN Servers are interoperable with all Cisco Easy VPN Client and Remote. For more information, please visit: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr.html



This info makes me think that DMVPN is a option at our example due to the fact we will implement double natting.

http://www.cisco.com/c/en/us/td/docs/ios/sec_secure_connectivity/configuration/guide/15_0/sec_secure_connectivity_15_0_book/dmvpn_dt_spokes_b_nat.html


It is not uncommon to situate a remote DMVPN spoke behind a NAT box, where a Port Address Translation (PAT) is enabled.
When the DMVPN spokes need to send a packet to a destination (private) subnet behind another spoke,
they query the Next Hop Resolution Protocol (NHRP) server for the real (outside) address of the destination spoke.
The DMVPN hub maintains a NHRP database of the tunnel endpoints and the physical address of the spokes.

Here i find good explaination regards software Cisco Easy VPN client :

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/datasheet-c78-733184.html

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-04-2017 12:03 PM

Personally I would use the Cisco Meraki family for this solution.  I would use a pair of MX100's at the data centre (active/standby) and MX65's at the stores.  You would use the AutoVPN feature to automatically build all the VPNs.

Here is a sizing guide.
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf

Failing that, I would use iWAN (new name for DMVPN).  I would use a Cisco 4000 series router at your data centre.  You need to choose this based on throughout mostly.  I'm going to guess a 4331 with the bandwidth upgrade licence would be a good fit.  I would also get an HSEC and an AX licence.  I would usually get a pair of these for redundancy.

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html

Because you need to run through NAT at the stores make sure you are running an up to date image on the 871's.  Personally I would probably go with a Cisco 897 and throw away the ISP supplied router and make life simple.  The 897 has an ADSL, VDSL and Gigabit WAN interface (both SFP and copper).  It also has a built in 8 port Gigabit switch.  Sometimes this is all a small store needs.

http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

The C891-24X is also an interesting choice.  It has dual WAN ports, and a 24 port Gigabit switch built in, with 8 of those ports being PoE.  And all in 1RU of space.

http://www.cisco.com/c/en/us/support/routers/891-24x-integrated-services-router-isr/model.html

Note that all 890 series routers come standard with Advanced IP.

And lastly, I would use EasyVPN.  Yes it will work through NAT but you need to make sure you have the most up to date software on all your network kit.  Note that a considerably cheaper ASA 5516 will do the job you are asking.

I have done lots of retail store deployments.  The Meraki solution is hands down the best solution for what you describe and the most reliable.

iWAN/DMVPN will work in your environment, but will involve a lot of labour getting it going.  Just the time to upgrade 100 x 871 routers to a recent image is going to be huge.  If I was doing your deployment I would insist on you replacing the ISP routers - otherwise I would probably refuse to do your deployment.  The ISP routers risk making the solution less solid.  A lot of the initial iWAN/DMVPN retail store deployments I have done have since changed over to using Cisco Meraki.

I would probably only deploy EasyVPN if I had no other choice.  It works fine, but just seems a bit archaic compared to the above two technologies.

View solution in original post

1 Reply 1

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-04-2017 12:03 PM

Personally I would use the Cisco Meraki family for this solution.  I would use a pair of MX100's at the data centre (active/standby) and MX65's at the stores.  You would use the AutoVPN feature to automatically build all the VPNs.

Here is a sizing guide.
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf

Failing that, I would use iWAN (new name for DMVPN).  I would use a Cisco 4000 series router at your data centre.  You need to choose this based on throughout mostly.  I'm going to guess a 4331 with the bandwidth upgrade licence would be a good fit.  I would also get an HSEC and an AX licence.  I would usually get a pair of these for redundancy.

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html

Because you need to run through NAT at the stores make sure you are running an up to date image on the 871's.  Personally I would probably go with a Cisco 897 and throw away the ISP supplied router and make life simple.  The 897 has an ADSL, VDSL and Gigabit WAN interface (both SFP and copper).  It also has a built in 8 port Gigabit switch.  Sometimes this is all a small store needs.

http://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

The C891-24X is also an interesting choice.  It has dual WAN ports, and a 24 port Gigabit switch built in, with 8 of those ports being PoE.  And all in 1RU of space.

http://www.cisco.com/c/en/us/support/routers/891-24x-integrated-services-router-isr/model.html

Note that all 890 series routers come standard with Advanced IP.

And lastly, I would use EasyVPN.  Yes it will work through NAT but you need to make sure you have the most up to date software on all your network kit.  Note that a considerably cheaper ASA 5516 will do the job you are asking.

I have done lots of retail store deployments.  The Meraki solution is hands down the best solution for what you describe and the most reliable.

iWAN/DMVPN will work in your environment, but will involve a lot of labour getting it going.  Just the time to upgrade 100 x 871 routers to a recent image is going to be huge.  If I was doing your deployment I would insist on you replacing the ISP routers - otherwise I would probably refuse to do your deployment.  The ISP routers risk making the solution less solid.  A lot of the initial iWAN/DMVPN retail store deployments I have done have since changed over to using Cisco Meraki.

I would probably only deploy EasyVPN if I had no other choice.  It works fine, but just seems a bit archaic compared to the above two technologies.

Customers Also Viewed These Support Documents