cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2279
Views
0
Helpful
8
Replies

VPN Hub and Spoke

ansarjavaid54
Level 1
Level 1

Hello guys.

Am working on a project having 14 sites. And design would be like hub and spokes and we will make vpn for site-to-site connectivity.

Now i need to know  about design?

1.CME router --->Firewall--->internet

 or

2. Firewall--->CME router--->internet.

ASA will be doing vpn termination. And i know firewall doesn't support gre and dmvpn. So how i can do hub and spoke.

Regards!

Ansar Javaid 

1 Accepted Solution

Accepted Solutions

If you already have ASA's then put them on the outside.  You'll have to built lots of site to site VPNS as there is no hub and spoke support like on the routers with DMVPN.

View solution in original post

8 Replies 8

Philip D'Ath
VIP Alumni
VIP Alumni

Are you committed to using ASA's?  I would personally stick with the CME router and use DMVPN.

Perhaps at the head office you can use both - but I'd but them side by side, not one behind the other.

Thanks for the help.

Here question arises, there will be some burden of call processing on cme router so why to use it if we have dedicated device for that purposes and all sites have ASA 5512X.

So my question is

1. So if i use cme i have to buy security license and VPN ISM?

if yes then my company will dont let me to make this because they already bought all the material.

2. There is no support hub spok in ASA at all?

If yes then what if i place firewall on the edge? and make dmvpn or gre on cme and let firewall to do encryption for that purposes? Is that possible? 

3. There also some clients who will remotely doing there work, so i will be doing ssl-client as well. So is it possible if i place my router on edge doing nat and firewall responding ssl. Whcih ports do i need to forward then.....

So what you suggest.

Waiting.......

If you already have ASA's then put them on the outside.  You'll have to built lots of site to site VPNS as there is no hub and spoke support like on the routers with DMVPN.

I got it. Is there ant way to do Hub and spoke without buying anything on router excpt secuty license...

You can do MGRE (Multipoint GRE) without security.

yup you right plain text packets.....

Is there a way that i do mgre on router behind frewall and firewall do ipsec for interested traffic?

waiting.........

There would be but the complexity is way too high.  You might as well stick with using your ASA's and just build lots of VPNs.

Okay, thanks for helping me in clearing my points. Now what you suggest. 2951 cme and 5512 asa with firepower.... We need centralized and remote access both features.

So if u suggest anything will be appreciated..