01-18-2010 04:35 AM
We have several small offices that we would like to connect to a central site. The users at this sites have to use
some of the resources at the central site (servers, file sharing etc).
At the central site we are thinking to deploy an ASA 5510 as a VPN termination point (actualy 2xASA5510 in
failover).
We are still unsure what to install at the small offices.
At the moment we are thinking about 871 or 1841 that will connect to the central site using Eazy VPN with network
extension.
I have several questions regarding this design:
-Will the remote locations be able to communicate with each other through the central site since all of them will
be connected to the central site?
-Will the VPN tunnel be constantly up or will it go down if there is no traffic?
-Do we need fixed IP addressess at the remote sites?
-Is it better to use ASA5505 instead of the routers?
Would you suggest some better solution for this scenario?
Thank you in advance!
01-18-2010 05:39 AM
Yes you can , you may reference this link https://supportforums.cisco.com/message/889330#889330
-Will the remote locations be able to communicate with each other through the central site since all of them will
be connected to the central site?
Yes , provided proper nonat excempt rules are configured at spoke sites and HUB to allow traffic among all small sites via HUB asa5510.
-Will the VPN tunnel be constantly up or will it go down if there is no traffic?
In same scenarios while there is not traffic and tunnel remains idle for long period of time you will need to send traffic to bring up the tunnel.
To avoid this you can use keepalive at both tunnel end points to keep tunnel up while there is no traffic , see this link for reference http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution4
-Do we need fixed IP addressess at the remote sites?
Idealy you would want to have fix public IP address in your remote site devices, if not feasable you can still create dynamic to static L2L vpns.
Reference these links for PIX/ASA to IOS or ASA to ASA scenarios.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Regards
01-20-2010 02:11 AM
Thank you for taking the time to respond.
And what do you think is better to use in this situation: Cisco 5505 or Cisco 871?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide