Re: Need Help with Branches Office and Head office using NGFW devices

Singh29 · ‎01-18-2024

I have a situation where multiple branch offices need to connect to the head office through firewalls. The head office uses a firewall with FPR 2140, while the nine branches use a different type of firewall with FPR 2100. The requirement is for all branches to communicate with the head office, but not with one another(no branch-to-branch communications). The head office should be able to communicate with each of the branches to in-just data. However, I have learned that DMVPN is not supported on the firewalls(FPR ASA). I need a routing device at the head office to communicate back to the branches from there. I don't have much experience with VPNs, so I don't know how to proceed. Here is the scenario:

Head Office:

- FPR 2140 running ASA in HA

- (buy additional switch Cat 9300 with stack cable to stack 2 switches for redundancy) site-to-site VPN to each branch from FPR 2140 and then filter traffic based on Site IPs

Remote Site1:

- FPR 2100 with Site-to-Site tunnel to head office

- Cat 9300 with stack cable already installed and has a client workstation connected to switch connections.

Remote Site 2

- FPR 2100 with Site-to-Site tunnel to head office

- Cat 9300 with stack cable already installed and has a client workstation connected to switch connections.

New Site:

The new branch office will establish a site-to-site VPN with the Head Office, as this is where the majority of their data will go. They will use the same setup with low-end firewalls like FPR 1000.

balaji.bandi · ‎01-18-2024

If you looking ASA code on FP - then look below Blog :

https://integratingit.wordpress.com/2023/03/07/asa-dynamic-vti/

If you looking FTD and Hope you have FMC to manage these device or you use FDM ? - suggest to have FMC

You can look VTI

Hub and Spoke deployments establish a group of VPN tunnels connecting a hub endpoint to a group of spoke nodes.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html

check the video :

https://www.youtube.com/watch?v=vWDdtat4Uc4

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Singh29 · ‎01-19-2024

Thank you Balaji for your quick response, We have ASa unfortunately with no FMC. I was wondering if the ASA blog shown above is scalable. We are anticipating 9 remote sites and HUB will have a monitoring system which will get traffic from spokes and Users from 9 spoke will be able to access the central monitoring system.

MHM Cisco World · ‎01-19-2024

DMVPN can not use in ASA/FTD
FMC have hub and spoke IPsec
and as you mention you dont use FMC
so
we have one option using S2S between HQ and branch and there are no branch to branch
so that OK
you need one VPN for each site.
what is issue now with this approach?
MHM

Singh29 · ‎01-23-2024

With S2S between HQ and branch, Manual routes are used between HQ and branch to route only specific traffic to each site. This may become cumbersome at a later point.

Singh29

MHM Cisco World · ‎01-23-2024

understood
then check dVTI
https://www.cisco.com/c/en/us/support/docs/security/vpn-appliances/220320-configure-dvti-with-dynamic-routing-prot.html

MHM

Rob Ingram · ‎01-19-2024

@Singh29 the blog referenced uses a Dynamic VTI (dVTI) on the hub, its key benefit is to be a scalable hub and spoke VPN solution. Use a dynamic routing protocol over the VTI VPNs to the 9300 switches to advertise the local networks. The advantage of using the VTIs and dynamic routing protocols compare to a policy based VPN (crypto map) solution, is that adding additional networks just requires advertising using the routing protocol, instead of having to modify the crypto ACLs to define additional networks.

Note dVTI requires ASA 9.19 or newer.

So with 9 remote sites is small a VTI (hub) and sVTI (spokes) is a suitable secure and scalable solution.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/asdm719/vpn/asdm-719-vpn-config/vpn-vti.html