Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.
Mohamed Sobair Thu, 01/12/2012 - 10:25
User Badges:
  • Gold, 750 points or more


If the requirement is to only terminate IPSec LAN to LAN Tunnels, then I would choose ASA.

Now, the Choise of the series depends on the required throughput , VPN throughput, Maximum concurrent connections .. etc.

for example, for 700+ Site to Site, I would choose ASA 5550, which can gives more number of allowed IPsec tunnels (5000) besides over 400Mbps 3DES VPN throughput.

Check below the ASA product comparison sheet:




jkozlov Thu, 01/12/2012 - 18:02
User Badges:

By site to site are u talking DMVPN or just FW to FW.....we ise 7200 G2 as dmvpn hib with older 3800 as spokes. If i were refreshing this it would be an ASR1004 as the hub and 3900 as the spoke

Sent from Cisco Technical Support iPhone App

Mike Schooley Thu, 01/12/2012 - 19:09
User Badges:

normally I would say a router as it gives you more options like terminating gre, but I think i read somewhere that 8.4 supported gre, havent confirmed.  nat is much more flexible with new version of asa if thats required.  also with 700 sites, I would assume your are running dmvpn, not sure asa can be used for that.

Latchum Naidu Fri, 01/13/2012 - 05:13
User Badges:
  • Blue, 1500 points or more


The ASA does not support DMVPN.
Initially Cisco said it might be available in 9.x (un-official), but it seems it has been removed from the road-map now, at least for 9.x (again un-official source).

So if you are planning to go DMVPN then go with Router and as said above with router you can have more options like terminating different wan links and so on...

Please rate all the helpfull posts.


This Discussion