Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
836
Views
0
Helpful
3
Replies

VPN Failover - Router, ASA or both?

jun10r123
Level 1
Level 1

ā€Ž04-21-2012 03:51 AM - edited ā€Ž03-04-2019 04:06 PM

Hi,

Background - at the moment we have 64k links to branch sites with cisco routers at both ends (3600 central, 1841 remote). These low bandwidth links are  very costly and not fast enough to run email/internet applications therefore we also have a seperate VPN network at each site where machines that need these applications are configured to use. (ASA 5500 central on a 10mb Fibre, ASA/PIX at remote sites on a DSL connection).

I am looking to tidy this up and consolidate into one reliable network. My question is, is there a router that can do the following:

  • Connect to two ISP's - I would like two links at each site.. be it a Leased Line & DSL or two DSL connections
  • VPN Connection to central ASA 5500 with Automatic Failover i.e if an Internet link goes down the VPN will re-establish on the other
  • Firewall - or would I be better in keeping the ASA's curerntly at the remote sites? If so.. how should they be configured along with the router & VPN?
  • QOS should we decide to look at VOIP in the future.

I have looked at the Cisco 1921 router, would this be suitable?

Thanks in advance for any advice.

Labels:
0 Helpful
3 Replies 3

Jeff Van Houten
Level 5
Level 5

ā€Ž04-21-2012 06:48 AM

Look on the Cisco site for document Id 41940. If you are not running public ally addressable services at the remote sites, then a router is all you need, IMHO.

Sent from Cisco Technical Support iPad App

0 Helpful

jun10r123
Level 1
Level 1
In response to Jeff Van Houten

ā€Ž04-21-2012 07:16 AM

Thanks I'll take a look

We do have overnight CCTV monitoring at some sites so the router/firewall will need to be publicly accessible.

0 Helpful

david.tran
Level 4
Level 4
In response to jun10r123

ā€Ž04-21-2012 11:50 AM

1- Get rid of ASA for VPN termination endpoint because they can not do GRE/IPSec or VTI.

2- you only need routers even if the routers have Internet facing.  As long as  you configure the routers properly, no need to worry about since these routers are used to terminate IPSec and nothing else.

3- With routers, you will be able to utilize multiple ISP connectivity for GRE/IPSec or DMVPN and do just about everything you want.  Things that ASA can not provide. Not to mention QoS as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card