Switch or a Router

Answered Question
Aug 13th, 2007
User Badges:

Hi We have 2 remote offices that are in a shared building. The building has a internet connection and we are given a port that we can plug in a switch and from this we can plug in our PCs that get a IP address which allows them to connected on the network.


Now our main office has a ASA firewall and we would like the users at these remote locations to be able to connect to our corporate network via the ASA.


We know we can do this using VPN and having each user double click on a VPN client on there desktop. But we would like to have a "always on" solution so that the router or switch does the VPN connect.


Would you say it would be better for us to get a router to do this or can a switch also do a VPN connect to a ASA firewall??


Thanks

Correct Answer by hobbe about 9 years 9 months ago

Hi


There are several reasons for using a firewall, ASA, in this configuration.

Right now you plug yourself into a unknown source of Internet access and try to defend yourself with the software "firewalls" that make up the VPN client or such (Xp "firewall").

This is a security nightmare and will not work in the long run.


If I was conulted to help you sort this out I would start with 2 ASA5505 wich has 8 ports each. One ASA-5505 for each remote office.

The ASA will act both as a firewall and shelter your machines from the unwanted traffic from Internet.

Now if we are lucky thats enough for the regional offices since the ASA-5505 is both a Firewall and a Switch. ASA-5505 is an 8 port device, and in this scenario you would use 1 external and 7 internal interfaces. Hopefully you do not have more than 7 IP devices (computers) on those unsecure networks right now.


If you do have more computers on the network then I would recomend a 2960 switch to go with that ASA.


Most bang for the buck.


Good luck

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 08/13/2007 - 00:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I would recommend either a router or another ASA device. If you get a router make sure that it has the right IOS on it, usually something along the lines of advanced security features, so that you can create VPN's.


Switches generally speaking do not support IPSEC vpns.


HTH


Jon

yaroslavrosomakho Mon, 08/13/2007 - 01:14
User Badges:

Generally switches cannot do VPN connections (except 6500/4500 with special modules).


ASA is your best choise here - good performance and no interoperability issues with your main ASA.

Correct Answer
hobbe Mon, 08/13/2007 - 02:56
User Badges:
  • Gold, 750 points or more

Hi


There are several reasons for using a firewall, ASA, in this configuration.

Right now you plug yourself into a unknown source of Internet access and try to defend yourself with the software "firewalls" that make up the VPN client or such (Xp "firewall").

This is a security nightmare and will not work in the long run.


If I was conulted to help you sort this out I would start with 2 ASA5505 wich has 8 ports each. One ASA-5505 for each remote office.

The ASA will act both as a firewall and shelter your machines from the unwanted traffic from Internet.

Now if we are lucky thats enough for the regional offices since the ASA-5505 is both a Firewall and a Switch. ASA-5505 is an 8 port device, and in this scenario you would use 1 external and 7 internal interfaces. Hopefully you do not have more than 7 IP devices (computers) on those unsecure networks right now.


If you do have more computers on the network then I would recomend a 2960 switch to go with that ASA.


Most bang for the buck.


Good luck

Actions

This Discussion