cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
4
Replies

Router-to-Router VPN Security

andyaoyao
Level 1
Level 1

Hi there,

Should we worry about the the security on router-to-router VPN over internet (IPSec) ?

We have two offices.

Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.

Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.

Office B has private subnets that extend to 7 hops away. (running RIP)

If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?

If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?

How do we defend our routers then?

Thanks in advance!

-Andrew

1 Accepted Solution

Accepted Solutions

If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well.  That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

This is a very common deployment method.

View solution in original post

4 Replies 4

m.kafka
Level 4
Level 4

Hi,

when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.

The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.

Rgds, MiKa

Thank you for the advice, Mika!

If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well.  That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

This is a very common deployment method.

Good point, Nicholas!

Why didn't I think of that?  : )

Thanks!