Datacenter Network Setup with IPSec VPN

Unanswered Question
Jul 27th, 2010
User Badges:


I am currently doing some research on a setup for a datacenter.  I am   attaching what I have in mind for clarity.  Basically we will have two ISPs   using fiber connectivity and we will use BGP on the ISR to perform dynamic   routing between the two ISP connections.

The firewall (ASA) will be terminating multiple IPSec site-to-site VPN   tunnels going to multiple clients who will probably have either an ISR router  or  a small ASA firewall.  Till now I think it makes sense.

The issue is that I would like to terminate the VPN tunnels from the various   clients to different vlans which will then go over a trunk to the inside   interface of the ASA.  I was reading about VRF-Lite and it seems that it is the   feature that should be used in such cases, however I found out that the ASA  does  not support VRF-Lite.

What are you suggestions on this aspect?  Should I trash the ASA idea  and  terminate the VPNs on the ISR router, using a VRF routing table per client  and  mapping it to a VLAN?  I wanted to use the ASA for VPNs as it is faster  than the  ISR and is able to support more tunnels at higher throughput.

Is there a better way of implementing this setup perhaps using other devices   such as the ASR?

Your help would be greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cciesec2011 Tue, 07/27/2010 - 15:26
User Badges:

Having work with Cisco IOS, ASA and Checkpoint firewall as VPN termination endpoint, I can tell you that for your design, I would definitely go with Cisco IOS, either with ASR 1002 or VXR-7201.  You definitely do not want to use ASA for VPN termination end-point:

- ASA does not support GRE/IPSec.  I am sure some where along the way, you will have requirements for GRE/IPSec.  ASA just can not do that,

- GetVPN and DMVPN.  ASA, to my knowledge, does not support,

- NAT inside the VPN tunnel and one-arm routing with VPN.  Configuration on Cisco IOS much easier on IOS than on ASA appliances,

- Support for multicasting along with VPN.  This is much easier on Cisco IOS than on ASA appliances,

If you have any of these above requirements, either VXR7201 (depending on the throughput) or ASR1002 will give you performances just as good as ASA with much more flexibilities. 

The strengh of the ASA is firewall "stateful inspection".  If your goal is to use the ASA just for VPN termination, router is much better option.

K_Green70 Wed, 07/28/2010 - 00:00
User Badges:


Thanks for your reply and guidance.  So with your suggestion to use the ASR1002, I would be able to do:

- BGP Routing with both of my ISPs

- IPSec VPN Termination to remote clients who will be using IOS routers or ASAs

- VRF per client (as I do want to safely separate traffic and overlapping IPs might also be an issue)

- Each VRF terminates in a VLAN which can be trunked with other VLANs to the internal switches

Also, do you think I can use ZBFW on this ASR also?  It would enforce some more security especially if we would want to publish some services such as web services or other SSL based services.

Thanks again for your valuable help.



cciesec2011 Wed, 07/28/2010 - 05:20
User Badges:

- BGP Routing with both of my ISPs

Yes with Load-Sharing as well,

- IPSec VPN Termination to  remote clients who will be using IOS routers or ASAs

Yes, with redundancy ISP.  You will use a loopback interface on your router for VPN termination.  Just remember to have this loopback IP address be available on the Internet so that your remote IOS routers or ASAs can reach it.  Don't forget to use "crypto map local-address lo0" or something like that.

- VRF per  client (as I do want to safely separate traffic and overlapping IPs  might also be an issue)

I've never used VRF per client.  However, you're making the problem harder that it sems.  Just place the internal interface of the VPN behind a firewall so that you can inspect the traffics once it gets decrypted.  A much cleaner solution,

- Each VRF terminates in a VLAN which can  be trunked with other VLANs to the internal switches

Again, use the firewall to inspect the traffic after decryption, a much cleaner solution

K_Green70 Wed, 07/28/2010 - 10:15
User Badges:


I am glad that it seems the ASR should be fit for the job.  I have one last question I would like to ask.  If I will not use VRF and use the firewall solution that you are suggesting, can I use the firewalling feature in the ASR itself or do I need a separate firewall appliance (say an ASA) for this job?

Thank again


This Discussion

Related Content