05-31-2013 07:35 PM
Dear
I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?
2) which is the best choice if using in site to site VPN connection ?
Best Regards
Alan.
Solved! Go to Solution.
06-02-2013 09:34 AM
With that amount of sites connected to both internet and some to MPLS you should choose a solution that gives you a good configuration- and routing-scalibility. Both is better on IOS then on the ASA. I would go directly to FlexVPN which is the most up-to-date technology in IOS and gives you many features like good scalability, integration of routing and (if you want) spoke-to-spoke connectivity without much extra config. The routers need quite new images, I would start with 15.2.4M3.
For the IPSec-scalability you should plan to use certificates, a CA-server is included in IOS:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080210cdc.shtml
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
05-31-2013 10:06 PM
The ASA is a really great choice for remote-access-VPNs. But for site-to-site I prefer the IOS-router:
On the router you have much more flexibility to choose how to configure your VPNs. The typical choice is to configure some kind of IPSec-Tunnel-Interface to connect the other sites (that can be VTI/DVTI, DMVPN or the new FlexVPN). These tunnel-interfaces are not available on the ASA.
Another point is access-control for VPN-traffic. That works like a charm on the router and is a PITA on the ASA.
One point is much easier to achieve on the ASA: That is device redundancy. With the failover-implementation on the ASA this can be imoplemented much easier then on the router.
But all in all, in my opinion, the router is the much better choice for site-to-site.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-01-2013 07:42 AM
Dear karsten.iwen
Can you provide me some cisco link to know more about your explaination. Because I get used to use ASA to build VPN and my usual think firewall is much more secure for both site to site VPN and protect company resource. As you said router is much better perform VPN in site to site. I want to understand more about "The typical choice is to configure some kind of IPSec-Tunnel-Interface to connect the other sites (that can be VTI/DVTI, DMVPN or the new FlexVPN). These tunnel-interfaces are not available on the ASA"
Thank you very much.
06-01-2013 11:47 PM
As already suggested, the way to start are the config guides on cisco.com:
On the ASA with ASDM and CLI:
http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config.html
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config.html
VTI on IOS:
FlexVPN on IOS:
DMVPN on IOS:
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-01-2013 04:15 PM
I do a lot of deployments and I believe it all depends on what you are trying to accomplish. There has been huge changes with the 9.1 code for the ASA. Cisco deployment and configuration guides are where I would start first.
Sent from Cisco Technical Support Android App
06-01-2013 06:13 PM
Dear
I have tried to use cisco 5505 to build site to site VPN like siteA<>headquarter<>siteB. siteA and siteB can connect to headquarter, but siteA CANNOT direct connect to siteB
If I change to use cisco 2901 or 2921 to build site to site VPN. May I know which type of VPN SVTI, DVTI or DMVPN can make all three site connect each other? like siteA can connect to siteB as well ?
06-01-2013 11:57 PM
On the ASA this can also be achieved:
1) you need to enable "same-security-traffic permit intra-interface"
2) the ACLs that specify which traffic has to be protected has to be expanded:
- On Spoke A: include the traffic from site A to site B
- On Spoke B: include the traffic from site B to site A
- HQ VPN to A: include the traffic from site B to site A
- HQ VPN to B: include the traffic from site A to site B
Or you build direct VPNs between Spoke A and Spoke B.
With the routers, it mostly depends on the amount of sites, your communication needs and if your are having fixed public IPs on the spokes.
If there are only a few Spokes and all have fixed public IPs I would use VTI. If the Spokes have dynamic IPs, then on the HUB you need DVTIs.
If there are many spoke and all routers are ISR G2, then the best solution could be FlexVPN. If there are still ISR G1, then DMVPN or a combination of FlexVPN/DMVPN could be used. FlexVPN/DMVPN could also be a good solution if you want direct Spoke-to-Spoke communication.
Enough confusion? ;-)
Just tell us more what you exactly want to achieve and we can direct you in the right direction.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-02-2013 09:11 AM
Thank you so much karsten Iwen.
You really make me confuse with too much information i do not know before. I will start to study what you have told me above.
However, I would really want to achieve and know is my how more then 60 sites. 50 sites only using 2901 or 2921 directly site to site VPN over interent to headquarter, and 10 sites are using 2901 or 2921 for both MPLS and internet site to stie VPN (failover) to connect to headquarter. Could you try to advise and figure it out what is the solution we are using and I really want to study and learn more what is the best solution for our implemention right now. Thank you.
what solution is good or best for below
1) what 2901 or 2921 vpn solution using in 50 sites only direct connect internet site to site vpn to headquarter
2) what 2901 or 2921 vpn solution using in 10 sites for both MPLS and internet site to site vpn(failover) to headquarter.
Thank you.
06-02-2013 09:34 AM
With that amount of sites connected to both internet and some to MPLS you should choose a solution that gives you a good configuration- and routing-scalibility. Both is better on IOS then on the ASA. I would go directly to FlexVPN which is the most up-to-date technology in IOS and gives you many features like good scalability, integration of routing and (if you want) spoke-to-spoke connectivity without much extra config. The routers need quite new images, I would start with 15.2.4M3.
For the IPSec-scalability you should plan to use certificates, a CA-server is included in IOS:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080210cdc.shtml
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-02-2013 07:16 AM
I second using routers for VPN.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide