Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2279
Views
0
Helpful
8
Replies

VPN Hub and Spoke

Go to solution
ansarjavaid54
Level 1
Level 1

‎06-30-2016 01:47 AM

Hello guys.

Am working on a project having 14 sites. And design would be like hub and spokes and we will make vpn for site-to-site connectivity.

Now i need to know  about design?

1.CME router --->Firewall--->internet

 or

2. Firewall--->CME router--->internet.

ASA will be doing vpn termination. And i know firewall doesn't support gre and dmvpn. So how i can do hub and spoke.

Regards!

Ansar Javaid 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ansarjavaid54

‎07-04-2016 11:13 AM

If you already have ASA's then put them on the outside.  You'll have to built lots of site to site VPNS as there is no hub and spoke support like on the routers with DMVPN.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎07-03-2016 10:29 PM

Are you committed to using ASA's?  I would personally stick with the CME router and use DMVPN.

Perhaps at the head office you can use both - but I'd but them side by side, not one behind the other.

0 Helpful

Go to solution
ansarjavaid54
Level 1
Level 1
In response to Philip D'Ath

‎07-04-2016 03:23 AM

Thanks for the help.

Here question arises, there will be some burden of call processing on cme router so why to use it if we have dedicated device for that purposes and all sites have ASA 5512X.

So my question is

1. So if i use cme i have to buy security license and VPN ISM?

if yes then my company will dont let me to make this because they already bought all the material.

2. There is no support hub spok in ASA at all?

If yes then what if i place firewall on the edge? and make dmvpn or gre on cme and let firewall to do encryption for that purposes? Is that possible? 

3. There also some clients who will remotely doing there work, so i will be doing ssl-client as well. So is it possible if i place my router on edge doing nat and firewall responding ssl. Whcih ports do i need to forward then.....

So what you suggest.

Waiting.......

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ansarjavaid54

‎07-04-2016 11:13 AM

If you already have ASA's then put them on the outside.  You'll have to built lots of site to site VPNS as there is no hub and spoke support like on the routers with DMVPN.

0 Helpful

Go to solution
ansarjavaid54
Level 1
Level 1
In response to Philip D'Ath

‎07-09-2016 12:48 PM

I got it. Is there ant way to do Hub and spoke without buying anything on router excpt secuty license...

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ansarjavaid54

‎07-09-2016 02:43 PM

You can do MGRE (Multipoint GRE) without security.

0 Helpful

Go to solution
ansarjavaid54
Level 1
Level 1
In response to Philip D'Ath

‎07-10-2016 03:17 AM

yup you right plain text packets.....

Is there a way that i do mgre on router behind frewall and firewall do ipsec for interested traffic?

waiting.........

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to ansarjavaid54

‎07-10-2016 01:24 PM

There would be but the complexity is way too high.  You might as well stick with using your ASA's and just build lots of VPNs.

0 Helpful

Go to solution
ansarjavaid54
Level 1
Level 1
In response to Philip D'Ath

‎07-11-2016 10:12 PM

Okay, thanks for helping me in clearing my points. Now what you suggest. 2951 cme and 5512 asa with firepower.... We need centralized and remote access both features.

So if u suggest anything will be appreciated.. 

0 Helpful
Customers Also Viewed These Support Documents