By the way, I saw in release notes of 9.7 version:

Virtual Tunnel Interface (VTI) support for ASA VPN module

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html

Hopefully, sometimes we will see VTI tunnels on ASA gears too. 

P.S. VTI is a tunnel interface witch can be used in many cases instead of GRE over IPsec. VTI gives no need of configuring crypto maps. Also, VTI tunnel does not give additional overhead from GRE header for VPN traffic.

Sorry, Karsten has already mentioned that.

Hello, just want to share my thoughts...

First of all, Cisco routers are capable of firewall services. For example, there is a feature, called Zone-based Firewall for Cisco routers. This feature can give you similar capabilities as ASA in many cases, but a bit complicated in configuration.

The second thought. I had a configuration, where ASA was behind the router. That means, ISP was connected to the router, inside LAN was separated from router by ASA:

LAN <===> ASA <===> Router <===> ISP

But ispite of this fact, there was no problem to terminate IPsec on ASA and GRE on Router. The IPsec traffic (ike and esp) passed from ISP through Router with no inspection and terminated on ASA. After being decrypted, GRE traffic went back to Router. Then Router decapsulated payload from GRE headers. Then Router directed payload traffic back to ASA. 

So there was a possibility to control decapsulated traffic with ASA's firewall capabilities. 

This scenario may be usefull, if ASA is equiped with IPS or FirePOWER services. After being decapsulated from all VPN headers (IPsec and GRE), the traffic can be controlled and inspected as you like. 

Hi Boris,

Thanks for super quick response!

I'm sure there would be FW capabilities in ASA which would be missing in other IOS routers, so we won't be able to offload everything from ASA.

Your other solution sounds plausible to me, however I am concerned of the performance penalty it will incur due to extra loop involved for all traffic. My deployment requires use of 2 ASAs for VPN tunnel redundancy where each ASA forms a VPN tunnel with a remote VPN device via different ISP and carries GRE tunnel inside each VPN tunnel. The router where GRE tunnels terminate runs BGP for selection of path to reach the side via one of the GWs.

                                                   ASA1 (VPN1) <=> ISP1

LAN <=> Router (BGP+GRE) <                                        > VPN

                                                  ASA2 (VPN2) <=> ISP2

So wondering if looping traffic back & forth between ASA & router will have any implication from dynamic routing perspective.

Thanks,

Sandesh

Hi, 

You are absolutely right, that looping traffic between Router and ASAs increases utilization of gears.

Usually, ASAs are more powerfull in routing and firewall capabilities, comparing to routers (sure, it depends on concrete models). 

If you think, that the router may be under heavy load, you can avoid looping traffic for router, if you add the direct connection from ASA to inside LAN (to Core Switch). Please, see the attach.

In this case, IPsec traffic will come to ASA, decrypted GRE traffic comes to router, router sends decapsulated payload back to ASA. And ASA sends filtered payload directly to LAN, avoiding passing it back to router.

So, the traffic from remote VPNs will pass through router only at once. Sure, that traffic passes ASA twice, but, as I already mentioned, throughput of ASA is usually high, so it won't be a problem.

From security perspective, it is also ok to connect ASA directly to LAN, because ASA filters all traffic.

More powerful in Firewalling only, the routers Rule when it comes to routing capabilities.