01-18-2024 02:42 PM
I have a situation where multiple branch offices need to connect to the head office through firewalls. The head office uses a firewall with FPR 2140, while the nine branches use a different type of firewall with FPR 2100. The requirement is for all branches to communicate with the head office, but not with one another(no branch-to-branch communications). The head office should be able to communicate with each of the branches to in-just data. However, I have learned that DMVPN is not supported on the firewalls(FPR ASA). I need a routing device at the head office to communicate back to the branches from there. I don't have much experience with VPNs, so I don't know how to proceed. Here is the scenario:
Head Office:
- FPR 2140 running ASA in HA
- (buy additional switch Cat 9300 with stack cable to stack 2 switches for redundancy) site-to-site VPN to each branch from FPR 2140 and then filter traffic based on Site IPs
Remote Site1:
- FPR 2100 with Site-to-Site tunnel to head office
- Cat 9300 with stack cable already installed and has a client workstation connected to switch connections.
Remote Site 2
- FPR 2100 with Site-to-Site tunnel to head office
- Cat 9300 with stack cable already installed and has a client workstation connected to switch connections.
New Site:
The new branch office will establish a site-to-site VPN with the Head Office, as this is where the majority of their data will go. They will use the same setup with low-end firewalls like FPR 1000.
01-18-2024 05:29 PM - edited 01-18-2024 05:32 PM
If you looking ASA code on FP - then look below Blog :
https://integratingit.wordpress.com/2023/03/07/asa-dynamic-vti/
If you looking FTD and Hope you have FMC to manage these device or you use FDM ? - suggest to have FMC
You can look VTI
Hub and Spoke deployments establish a group of VPN tunnels connecting a hub endpoint to a group of spoke nodes.
check the video :
01-19-2024 07:30 AM
Thank you Balaji for your quick response, We have ASa unfortunately with no FMC. I was wondering if the ASA blog shown above is scalable. We are anticipating 9 remote sites and HUB will have a monitoring system which will get traffic from spokes and Users from 9 spoke will be able to access the central monitoring system.
01-19-2024 08:11 AM
DMVPN can not use in ASA/FTD
FMC have hub and spoke IPsec
and as you mention you dont use FMC
so
we have one option using S2S between HQ and branch and there are no branch to branch
so that OK
you need one VPN for each site.
what is issue now with this approach?
MHM
01-23-2024 12:55 PM
With S2S between HQ and branch, Manual routes are used between HQ and branch to route only specific traffic to each site. This may become cumbersome at a later point.
Singh29
01-23-2024 02:16 PM
understood
then check dVTI
https://www.cisco.com/c/en/us/support/docs/security/vpn-appliances/220320-configure-dvti-with-dynamic-routing-prot.html
MHM
01-19-2024 08:56 AM
@Singh29 the blog referenced uses a Dynamic VTI (dVTI) on the hub, its key benefit is to be a scalable hub and spoke VPN solution. Use a dynamic routing protocol over the VTI VPNs to the 9300 switches to advertise the local networks. The advantage of using the VTIs and dynamic routing protocols compare to a policy based VPN (crypto map) solution, is that adding additional networks just requires advertising using the routing protocol, instead of having to modify the crypto ACLs to define additional networks.
Note dVTI requires ASA 9.19 or newer.
So with 9 remote sites is small a VTI (hub) and sVTI (spokes) is a suitable secure and scalable solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide