router vs firewall site to site VPN

Answered Question
May 31st, 2013

Dear

I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.

1) what is the different to build site to site VPN between router and firewall ?

2) which is the best choice if using in site to site VPN connection ?              

Best Regards

Alan.   

I have this problem too.
0 votes
Correct Answer by Karsten Iwen about 2 years 3 days ago

With that amount of sites connected to both internet and some to MPLS you should choose a solution that gives you a good configuration- and routing-scalibility. Both is better on IOS then on the ASA. I would go directly to FlexVPN which is the most up-to-date technology in IOS and gives you many features like good scalability, integration of routing and (if you want) spoke-to-spoke connectivity without much extra config. The routers need quite new images, I would start with 15.2.4M3.

For the IPSec-scalability you should plan to use certificates, a CA-server is included in IOS:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080210cdc.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Karsten Iwen Fri, 05/31/2013 - 22:06

The ASA is a really great choice for remote-access-VPNs. But for site-to-site I prefer the IOS-router:

On the router you have much more flexibility to choose how to configure your VPNs. The typical choice is to configure some kind of IPSec-Tunnel-Interface to connect the other sites (that can be VTI/DVTI, DMVPN or the new FlexVPN). These tunnel-interfaces are not available on the ASA.

Another point is access-control for VPN-traffic. That works like a charm on the router and is a PITA on the ASA.

One point is much easier to achieve on the ASA: That is device redundancy. With the failover-implementation on the ASA this can be imoplemented much easier then on the router.

But all in all, in my opinion, the router is the much better choice for site-to-site.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

alan-wong Sat, 06/01/2013 - 07:42

Dear karsten.iwen

Can you provide me some cisco link to know more about your explaination.  Because I get used to use ASA to build VPN and my usual think firewall is much more secure for both site to site VPN and protect company resource.  As you said router is much better perform VPN in site to site.  I want to understand more about "The typical choice is to configure some kind of IPSec-Tunnel-Interface to connect the other sites (that can be VTI/DVTI, DMVPN or the new FlexVPN). These tunnel-interfaces are not available on the ASA"

Thank you very much.

n.dambrosio Sat, 06/01/2013 - 16:15

I do a lot of deployments and I believe it all depends on what you are trying to accomplish. There has been huge changes with the 9.1 code for the ASA. Cisco deployment and configuration guides are where I would start first.


Sent from Cisco Technical Support Android App

alan-wong Sat, 06/01/2013 - 18:13

Dear

I have tried to use cisco 5505 to build site to site VPN like siteA<>headquarter<>siteB.  siteA and siteB can connect to headquarter, but siteA CANNOT direct connect to siteB

If I change to use cisco 2901 or 2921 to build site to site VPN.  May I know which type of VPN SVTI, DVTI or DMVPN can make all three site connect each other? like siteA can connect to siteB as well ?

Karsten Iwen Sat, 06/01/2013 - 23:57

On the ASA this can also be achieved:

1) you need to enable "same-security-traffic permit intra-interface"

2) the ACLs that specify which traffic has to be protected has to be expanded:

  - On Spoke A: include the traffic from site A to site B

  - On Spoke B: include the traffic from site B to site A

  - HQ VPN to A: include the traffic from site B to site A

  - HQ VPN to B: include the traffic from site A to site B

Or you build direct VPNs between Spoke A and Spoke B.

With the routers, it mostly depends on the amount of sites, your communication needs and if your are having fixed public IPs on the spokes.

If there are only a few Spokes and all have fixed public IPs I would use VTI. If the Spokes have dynamic IPs, then on the HUB you need DVTIs.

If there are many spoke and all routers are ISR G2, then the best solution could be FlexVPN. If there are still ISR G1, then DMVPN or a combination of FlexVPN/DMVPN could be used. FlexVPN/DMVPN could also be a good solution if you want direct Spoke-to-Spoke communication.

Enough confusion? ;-)

Just tell us more what you exactly want to achieve and we can direct you in the right direction.

-- 

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

alan-wong Sun, 06/02/2013 - 09:11

Thank you so much karsten Iwen. 

You really make me confuse with too much information i do not know before.  I will start to study what you have told me above.

However, I would really want to achieve and know is my how more then 60 sites.  50 sites only using 2901 or 2921 directly site to site VPN over interent to headquarter, and 10 sites are using 2901 or 2921 for both MPLS and internet site to stie VPN (failover) to connect to headquarter.  Could you try to advise and figure it out what is the solution we are using and I really want to study and learn more what is the best solution for our implemention right now.  Thank you.

what solution is good or best for below

1) what 2901 or 2921 vpn solution using in 50 sites only direct connect internet site to site vpn to headquarter

2) what 2901 or 2921 vpn solution using in 10 sites for both MPLS and internet site to site vpn(failover) to headquarter.

Thank you.

Correct Answer
Karsten Iwen Sun, 06/02/2013 - 09:34

With that amount of sites connected to both internet and some to MPLS you should choose a solution that gives you a good configuration- and routing-scalibility. Both is better on IOS then on the ASA. I would go directly to FlexVPN which is the most up-to-date technology in IOS and gives you many features like good scalability, integration of routing and (if you want) spoke-to-spoke connectivity without much extra config. The routers need quite new images, I would start with 15.2.4M3.

For the IPSec-scalability you should plan to use certificates, a CA-server is included in IOS:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080210cdc.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Collin Clark Sun, 06/02/2013 - 07:16

I second using routers for VPN.

Sent from Cisco Technical Support Android App

Actions

Login or Register to take actions

This Discussion

Posted May 31, 2013 at 7:35 PM
Stats:
Replies:9 Overall Rating:5
Views:2105 Votes:0
Shares:0
Tags: vpn
+

Related Content