12-10-2013 11:20 AM
Hi there,
Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
We have two offices.
Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
Office B has private subnets that extend to 7 hops away. (running RIP)
If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
How do we defend our routers then?
Thanks in advance!
-Andrew
Solved! Go to Solution.
12-11-2013 12:59 PM
If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well. That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
This is a very common deployment method.
12-10-2013 02:30 PM
Hi,
when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
Rgds, MiKa
12-11-2013 07:46 AM
Thank you for the advice, Mika!
12-11-2013 12:59 PM
If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well. That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
This is a very common deployment method.
12-11-2013 01:21 PM
Good point, Nicholas!
Why didn't I think of that? : )
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide