VPN architecture and config question

Unanswered Question
May 12th, 2010

Hello cisco experts,

I need some help on changing my current configuration to add a Cisco 2821 for a site to site vpn architecture. I'll attempt to explain this as well as I can.

My current setup is a core 6509e that I have all my access layer devices and servers connected to. The default ip route specifies the next hop as our Nokia/Checkpoint firewall. All traffic goes through the firewall and either returns to the core for internal routing/switching and the external traffic goes to the internet link, which is an ISP we use. We do not have a public IP due to the dictation that we use this ISP without any choices.

So, traffic goes from our core 6509e to a Nokia/Checkpoint and then to our ISP as the default gateway. The Nokia's are currently performing the VPN portion for traffic going to a sister site.

We are going to be swapping out the Nokia's for Juniper firewalls and I need to figure out how to implement the Cisco 2821's to handle the VPN traffic. I was thinking of making a route statement to send all traffic destined for the sister site IP to the Cisco 2821 to perform the IPSEC VPN and then send it back through the core.

ANY suggestions are welcome.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Wed, 05/12/2010 - 06:20


You need to make sure that the functionalities carried out by your Nokia/Juniper firewalls are being taken care if you remove them out of the network.

You need identify the features being offered by these devices before you remove them off from the network. If you are not really sure about that better check out for the configs and docs for the same.

You can make use of the router to act as a IPSEC VPN tunnel endpoint for your remote locations so that the transaction between your location and the remote will be safe/secure.

Once the decrypt of the remote end data is done a the router end the packets can be routed internally to your internal network.

Also before replacing the devices you need to work out the required ports / capacity before placing the po.


busheyscott Wed, 05/12/2010 - 08:07

The Juniper firewalls will replace the Nokia's after I get the site to site VPN up and running. Since the Nokia's currently run the VPN portion as part of their capabilities, I need to change the VPN to the Cisco 2821's I have. We will not be configuring the vpn endpoins as part of our new Juniper firewall installation.

So my question is what is the best way to do this with my current topology.

I can get the configurations correct as I have configured vpn endpoints before, but I am unsure as to how to change my topology to have the 2821's as my endpoints. Do I make a trunk from the core 6509e to the 2821 and then run it back through the core on another trunk? Do I use two ports on the core and change them from switchport to layer III and put ip's on them to go to my 2821's? I know there's a few ways to do this but I keep getting stuck on which way to go.

I am open to any suggestions.


This Discussion

Related Content