Solved: VPN design for branch office

de1denta · ‎11-04-2013

Hi,

I'm looking for some feedback regarding any issues with the following design.

We currently have a HQ site with a 100Mbps internet connection which terminates on an outside L2 switch. A Cisco ASA 5520 is then connected to the L2 switch and configured with a public IP addess. The Cisco ASA firewall is configured with NAT and is handling all internet traffic from HQ

I need to add a branch site via a VPN but we need the ability to use multicasting over the VPN and also to use the HQ site for all internet traffic, so the branch will use a default route towards the HQ and then traffic hairpins back out to the internet.

I was thinking of installing a Cisco 2900 series router in parellel to the Cisco ASA with one interface connected to the outside switch and internal interface connected to the HQ switch, then configuring GRE over IPsec and then advertising out the default using EIGRP. Physical design similar to the attached.

Does anyone see any issues with this configuration? Would it be better to connect the 2900 LAN to a DMZ interface on the ASA for security?

Thank you

Karsten Iwen · ‎11-04-2013

That's a design I use quite often (for customers with "normal" security-needs) which works very good. As an inside-switch I always use a Layer3-switch with two transfer-networks, one to the router(s), one to the ASA(s). With that you have full control over the routing on the L3-Switch.

As a variation for customers who want to filter the branch-traffic also on the ASA I connect the internal interface of the router to a DMZ-interface on the ASA. Then there is only one device (the ASA) for policy-enforcement instead of two (ASA and router). In the old days of the VPN-concentrator I also had the public interface of the VPN-gateway on a DMZ to protect the VPN-gateway from the internet, but that complicates the routing very much.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎11-04-2013

That's a design I use quite often (for customers with "normal" security-needs) which works very good. As an inside-switch I always use a Layer3-switch with two transfer-networks, one to the router(s), one to the ASA(s). With that you have full control over the routing on the L3-Switch.

As a variation for customers who want to filter the branch-traffic also on the ASA I connect the internal interface of the router to a DMZ-interface on the ASA. Then there is only one device (the ASA) for policy-enforcement instead of two (ASA and router). In the old days of the VPN-concentrator I also had the public interface of the VPN-gateway on a DMZ to protect the VPN-gateway from the internet, but that complicates the routing very much.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

de1denta · ‎11-04-2013

Thanks karsten,

Is there any benefit/disadvantage of placing the VPN router behind the ASA on a private IP address and then using NAT on the ASA to forward the VPN traffic to the router? I'm just thinking that its one public facing device to worry about.

Karsten Iwen · ‎11-04-2013

That of course can be done but again complicates the the routing. As mentioned, years ago I configured it that way with the VPN3000 as I never trusted the ACLs of this device. Another scenario is when there is no public IP available for the router on the outer subnet of the ASA. Then it could be needed to place the router behind the ASA.

But again: with a VPN router that only allows IPsec from the internet, it's very likely that this device will not become the wwakest link in your security-chain and that design should be good to use.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

de1denta · ‎11-04-2013

Thanks for your help, thats very useful.