09-22-2013 08:44 PM
Greenhorn here, I didn't sit any of this up. We have three remote sites, sister institutions, that we share an app with. We house the app. One site has a vpn concentrator setup, the other two are using a point to point leased line. They have each have a router that connects to a single router. They want to replace the leased lines with a vpn concentrator. Doing the digging I see the concentrators are EOL.
So what's used to replace the concentrator today? What's a solution today to move away from the leased lines? These are all cash poor non-profits. My guess is they'll say look on Ebay for a concentrator if the solution is too pricey.
Thanks Jim
Solved! Go to Solution.
10-10-2013 12:25 PM
Jim
The Security bundle (CISCO2901-SEC/K9 or CISCO2921-SEC/K9) is the convenient way to get the combination of router, software, and license that you will need. I do not believe that you need anything more elaborate than one of these Security bundles.
I believe that either of these would be a good choice for you. It has been a while since I looked at the specifics of these routers. My memory is that the 2921 offers more power, more interfaces, and some other advantages and would be attractive to many of us. But for what I think I understand of your requirements I believe that the 2901 would be a less expensive and quite adequate router for you.
HTH
Rick
09-22-2013 09:12 PM
Jim
Asking about "vpn concentrator" is a very broad question and there are multiple devices that could reasonable be called vpn concentrators. Perhaps you can be a bit more specific about what device (or perhaps what model of device) you are calling the vpn concentrator.
Based on your description I will make a guess that you are talking about the Cisco 3000 vpn concentrators, which are EOL products. If that is what you are asking about then the product that you should look at is the Cisco ASA, which can function as a vpn concentrator. Based on the brief description that you give I believe that an ASA5505 might do what you need and not be an expensive solution.
HTH
Rick
09-25-2013 02:59 PM
Rick,
What we want to do is eliminate the leased lines. So whatever device that will help us do that is up for consideration. I looked at the ASA5505 and that's a firewall. Would you mind giving me a brief explanation on how the ASA5505 would be used as a vpn concentrator? I have a Check Point Enterprise firewall and I could simply have them connect via the Check Point vpn, or the Windows 7 vpn client as an option.
Currently we're using a Cisco 2800 Model 2811 router on our end. I'm waiting on a reply from a colleague at one of the sister organizations on what they're using on their end. The nomenclature "vpn concentrator" may be incorrect. I was told they have a vpn concentrator setup to connect to us, we want to duplicate that setup, and little else.
I started out by googling for vpn concentrators and found the Cisco 3000's and read that they were at EOL. So being a greenhorn I asked the very broad question of what's replaced them.
Jim
09-25-2013 05:45 PM
Jim
Let me answer your question about the ASA5505 by giving a little history of Cisco products. If you go back several years Cisco had a firewall product that was the PIX product line with multiple models. Cisco also had a product that was the 3000 series of devices that were commonly called VPN concentrators. As things evolved Cisco developed a new line of products with multiple models which was the ASA. They combined the functionality of the firewall PIX and the VPN concentrator into the new ASA product and announced EOL for both the PIX and the VPN concentrator.
So from the Cisco perspective the product that replaces the VPN 3000 concentrators is the ASA. The ASA can be configured to act only as a firewall (I have some customers who do this), or it can be configured to act only as a VPN concentrator (I have some customers who do this), or it can be configured to act as both firewall and VPN concentrator (I have some customers who do this).
In talking about VPN there are two types of VPN. There is Remote Access VPN which is for individual PCs with VPN client software which establish individual VPN sessions to a concentrator. There is also Site To Site VPN which is for situations where you want the VPN session to be between a router/firewall at one site to a similar device at the other site. It is not clear to me from your description exactly which type of VPN you are using. But I am guessing that it is more likely Site to Site. In that case your 2811 router (with the appropriate feature set in the software) would be a good device to do Site To Site VPN. The ASA would be a better choice if you want Remote Access VPN.
HTH
Rick
09-25-2013 09:32 PM
Rick,
Helps a bunch. Site to Site vpn. I looked up the 2811 and they are soon to be EOL. A little searching led me to the 2900 series. And the 2901 model.
These are small sites. Probably no more than 10 to 15 users at the far end connecting back to us. This is a straight up client\server app, no streaming.
Do you think the 2901 would be a good fit? And is there an EOL date set for them? What feature set in the software would we need? What scuttlebut I hear is Cisco no longer supports this iOS or this feature set so your hosed. We want something that's going to be supported for a while.
I'm reading the IPsec VPN WAN Design Overview OL-9021-01 doc for starters. If there's a more current doc on the topic that you know of I'd appreciate the link.
Thanks Jim
09-25-2013 10:33 PM
Dear Jim,
As you already have 2811 router with you and you are trying to reduce the cost as much as it is possible you can simply use the same device at your site to provide VPN service no matter what devices you are going to use in the remote locations. But your router must have an IOS which supports security features. Please do share the IOS version details.
If your branch locations also having routers, you can use the same devices with a proper IOS to establish the VPN tunnels. To veryfy this provide with device models and IOS version details.
Regards,
Shijo.
09-26-2013 01:29 PM
Jim
If the 2811 that you already have is running the correct feature set then it should be an adequate router for your VPN purposes. If the software would need an upgrade for the feature set or if you are really concerned about EOL issues then I believe that the 2901 would be an adequate router for what you need.
For ISR G1 routers like the 2811 the important consideration is the feature set and you would need something like Advanced Security or Advanced IP Services feature set. For the ISR G2 routers like the 2901 they do not do the feature set thing but it is a licensing issue. I believe that there is a Security license that would be required to support VPN.
HTH
Rick
09-26-2013 03:07 PM
Rick, thanks for details and the heads up on the Security license on the 2901. That's a handy piece of information to have.
Shijomon, might be a day or two before I can find out the model and iOS version. I have to rely on the I.T. staff at our sister institutions to work it into their schedule.
Thanks Jim
10-01-2013 01:41 PM
Shijo,
Apologies for the delay. At two of the sister sites, Cisco 1721 IOS version 12.2., both of these connect to a Cisco 2621 IOS version12.2 at our site. These two sister sites are using the point to point setup we would like to replace with the site to site vpn.
We have a third sister institution that is using a site to site vpn. On our end we have the Cisco 2811 IOS version 12.4 that's mentioned in earlier posts. Not sure of what they have on their end, they've not gotten back to me.
Thanks Jim
10-01-2013 04:09 PM
Jim
Shijo did ask about version information in his response. But really the important thing is not version but is what is usually called feature set in the version of code that most of these routers would be running. If the feature set is either Advanced Security or is Advanced IP Services then the routers should support site to site VPN. But if the feature set is something like IP Base then they would not support site to site VPN.
If you could get the people at each of those sites to send you the output of show version, and if you get that output from your router and then post them then we could evaluate whether the code would support site to site VPN.
HTH
Rick
10-09-2013 08:01 AM
Sorry it took so long but here's the output from sh version.
Location 1
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(16a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 18-Apr-03 19:25 by xxxxx
Image text-base: 0x8000808C, data-base: 0x80A0EE84
ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
xxxxxxxxx uptime is 41 weeks, 3 days, 20 hours, 54 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.122-16a.bin"
cisco 2621 (MPC860) processor (revision 0x00) with 27648K/5120K bytes of memory.
Processor board ID JAD07070EVT (2982455740)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 2
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 14-Feb-03 14:34 by ccai
Image text-base: 0x80008124, data-base: 0x80A94064
ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
xxxxxxxxxxx uptime is 14 weeks, 14 hours, 22 minutes
System returned to ROM by power-on
System image file is "flash:c1700-sy-mz.122-11.T6.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
Processor board ID FOC0708028N (496857573), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 3
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-SY-M), Version 12.2(11)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 14-Feb-03 14:34 by ccai
Image text-base: 0x80008124, data-base: 0x80A94064
ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
Xxxxxxxxx uptime is 13 weeks, 6 days, 5 minutes
System returned to ROM by reload
System image file is "flash:c1700-sy-mz.122-11.T6.bin"
cisco 1721 (MPC860P) processor (revision 0x100) with 44237K/4915K bytes of memory.
Processor board ID FOC0707142M (1927840357), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Location 4
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(3g), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 06-Nov-06 02:36 by alnguyen
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
xxxxxxxxxx uptime is 40 weeks, 5 days, 6 hours, 22 minutes
System returned to ROM by reload at 13:34:01 UTC Thu Dec 27 2012
System image file is "flash:c2800nm-advsecurityk9-mz.124-3g.bin"
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1051A01V
2 FastEthernet interfaces
2 Serial interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
10-10-2013 08:22 AM
Jim
Thanks for posting the additional information. It shows that the first three routers are running versions of code that would not support site to site VPN. So I believe that replacement of these routers is called for (upgrade of the code is not a good option).
The good news is that the output does confirm that your 2811 router is running code that does support site to site VPN. So assuming that that additional load of processing the VPN encryption is not going to strain the processor you should be able to use this router to do site to site VPN.
HTH
Rick
10-01-2013 10:20 PM
Dear Jim,
Please provide the bendle details, like C1841-ENTSERVICESK9-M), Version 12.4(22)T. You can find it out form 'show version' command. The prupose is we want to know the present feature set supports VPN or not.
Regards,
Shijo.
10-01-2013 05:20 PM
Hi Jim,
As mentioned before this is not an easy one without any network requirements.
Nevertheless, let me share some input regarding your query.
If you are in the process of replacing a Cisco VPN 3000 Concentrator, you may want to migrate to an ASA, since it is a FW by nature, and also offers advance VPN (SSL and IKEv2) and Security features.
On the other hand, an ISR G1 Router with a k9 image should be good enough if you want to handle LAN-TO-LAN connections and even RA IPsec clients. However, I would recommend the new G2 Router since old bugs are fixed-in IOS released for this latter equipment.
The new IOS code offers great features like Flex-VPN for instance.
With that said, it really depends on your network requirements and how much you are planning to invest.
Both options are very good, but one needs to keep in mind that one is a Router (advance routing device) and the other one is an ASA (Firewall).
HTH.
10-02-2013 03:41 PM
All - I'm waiting on the sh version results.
Javier - I'm thinking router not firewall. I googled G2 Router and came up with, Cisco775M-G2 ISDN Router, is this similar to what your talking about? Do you have a model in mind I can look up on Cisco's site? We're not replacing a Cisco VPN 3000 Concentrator. I googled vpn concentrator and came up with a hit on that model. Did some reading saw it was EOL. Being green I asked a broad question.
Thanks everybody.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide