Site To Site VPN Options

Unanswered Question
Aug 14th, 2009

Hello all,

Just a question in regards to site to site VPN's. I currently am currently trying to design a temporary network solution for the company that I work at.

We are trying to provide connectivity to a temporary site that is around 200 miles away from our current HQ.

Both sites have connections to the public internet, so I was thinking that we could use a site to site VPN using Cisco ASA's. The current connection at the remote location is a T1.

I'm wondering what kind of performance I would have implementing a site to site VPN using Cisco ASA's. There could potentially be around 50-75 users.

I'm not very experienced with VPN's in general (other than Juniper SSL)... I'm more of a R&S guy. So, if there's a better solution out there, I'm all for hearing about it.

Thanks for any help / information in advance!

Jonathan Kloza -

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ivarnhagen Sun, 08/16/2009 - 02:18

Hi Jonathan,

the performance you would have in the sense on bandwidth would depend on the internet connections at the remote site and the "HQ". The slowest internet connection (Upload or Download) would be your bottleneck. The T1 should give you about 1.5Mbps.

If that would be enough for your 50-75 users would depend on the type of application they use. You should take the bandwidth required by the application for one user and multiply it by the amount of users you have. Then you check whether your slowest connection supports these requirements. Take note that VPN connections also have some overhead.

If these internet connections are also used for surfing the web, guaranteeing bandwidth becomes more difficult. In that case some sort of QoS would be needed.

Delay and jitter could be an issue, again depending on the applications you are using. Our VPN connections here between locations in Germany usually have about 40-100ms delay, which is good in most cases (even for VoIP).

If you are concerned about VPN throughput of the ASA itself...the 5505 has a 100Mbps throughput, which would most likely be more than you need considering you have a T1 at one end.

And finally make sure you have enough user licenses on your ASAs.

hth

Ingo

jkloza Mon, 08/17/2009 - 03:58

Thank you very much for the reply. There won't be any delay sensitive applications, mostly web / exchange chatter...

You mentioned licenses on my ASA's, I was under the impressions that the site to site IPSec VPN was a "persistent" connection, do I still need user liceses on my ASA...

I've found some SRND's / design overviews that have been helpful, specifically the IPsec VPN WAN design overview, which uses Cisco IOS to create the connection between two "VPN" routers, 18XX / 28XX / 38XX. Is it possible to use a 37XX router? Are there specific modules that I would need?

Thanks again for your help!

Jon

ivarnhagen Mon, 08/17/2009 - 05:04

Hi Jon,

yes unforunately connections made through the VPN do use up user licenses. The mechanism is explained here in short:

http://6200networks.com/2009/01/27/asa-5505-question/

Of course you can also use a Router to establish a VPN between 2 sites. I haven't done this alot, so I can't give you explicit advice.

To my knowlege you can configure a a VPN on most Cisco Routers or Layer 3 Switches (e.g. with a routed port) with the appropriate IOS and feature set. The newer IOS also have an integrated Zone-Based Firewall, which you can configure, making them even more flexible and secure than the old CBAC Firewall.

Info on the Zone-based Firewall:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

One thing that you should consider is using fixed IP's for your VPN connections. At least one side has to have a fixed IP for an ASA-ASA vpn tunnel to work reliably.

Actions

This Discussion