cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
328
Views
0
Helpful
1
Replies

VPN query

nilesh_sawant
Level 1
Level 1

Hi,

We have near about 40 branches & looking for the VPN connectivity over Internet to HO and DR site to access the servers. Being the financial institute security is concerned.


So deliverable solution can be below :
1) Configuring IPSec between Cisco Router and Cisco vpn client for windows
2) Configuring IPSec between PIX and Cisco vpn client for windows
3) Configuring IPSec between Cisco VPN cncentrator and Cisco vpn client for windows

Which would be the best solution as per the security concerned, Please comment.


Regards,

Nilesh

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

nilesh_sawant wrote:

Hi,

We have near about 40 branches & looking for the VPN connectivity over Internet to HO and DR site to access the servers. Being the financial institute security is concerned.


So deliverable solution can be below :
1) Configuring IPSec between Cisco Router and Cisco vpn client for windows
2) Configuring IPSec between PIX and Cisco vpn client for windows
3) Configuring IPSec between Cisco VPN cncentrator and Cisco vpn client for windows

Which would be the best solution as per the security concerned, Please comment.


Regards,

Nilesh

Nilesh

Firstly i would rule out the VPN concentrator simply because it EOL and anything that is EOL is not as actively supported. So any major issues in the code and Cisco may well tell you to migrate to an ASA firewall.

So it comes down to a firewall vs a router.

With a router you can do a lot more than a firewall as it has all the IOS functionality. So you need to draw up your full list of requirements eg. a router has a fuller QOS feature set, a router can do PBR whereas an ASA cannot, a router can support equal cost load-balancing across multiple interfaces whereas ASAs have problems with all this. A quick search on this site will show you for example how many people would like PBR to be on an ASA.

But because a router can do a lot more there are also potentially a lot more bugs that could affect the device. The ASA is a dedicated firewall/IPS device and so is less of a jack-of-all trades.

Availability and throughput are also considerations as well as resiliency. You need to compare relevant data sheets of the routers/ASAs you are interested in.

Finally there is also the issue of management. If you have no expertise in house with ASAs then that is a plus point for a router.

So it's a compromise and that's why you need a full set of requirements.

Jon