VPN termination point

Answered Question
Mar 19th, 2014
User Badges:

Hi,

 

Which one is a better design? 

To terminate VPN connection at Router level or Firewall level.

For a case of:  SW----FW---Router?

Based on many review it seems terminating VPN at router level is much more troublesome to configure as compared to terminate at router level.

 

Appreciate any feedback. Thanks.

Correct Answer by Richard Burts about 3 years 4 months ago

For SSL remote access VPN I would suggest terminating it on the firewall. If your outside connection is some connection type that the firewall does not support then it makes sense to have the router on the outside.

 

HTH

 

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 03/20/2014 - 06:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is not clear to me in your post where the inside network is and where the outside/Internet is. I am guessing that the switch is the inside and the outside is connected at router. Is that correct? I wonder about changing the topology so that the firewall is the connection to outside and the router is inside of the firewall.

 

It is also not clear whether you are talking about remote access VPN or site to site VPN. For remote access VPN I would advise terminating it on the firewall. For site to site VPN I would advise terminating it on the router.

 

HTH

 

Rick

Kevin Thu, 03/20/2014 - 20:32
User Badges:
Hi rick, Yes i am talking about ssl vpn actually. I am just thinking of scenario of vpn whereby there is one wan IP. So i am not sure which is easier to build. Setup router which facing the internet for vpn or firewall behind router for vpn access. Lets say router is in front because the fw does not support certain internet wan port.
Correct Answer
Richard Burts Fri, 03/21/2014 - 07:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

For SSL remote access VPN I would suggest terminating it on the firewall. If your outside connection is some connection type that the firewall does not support then it makes sense to have the router on the outside.

 

HTH

 

Rick

Kevin Tue, 04/01/2014 - 09:18
User Badges:

Hi guys,

Ty for the replies.

Currenty the router which internet facing only has one WAN IP address but the SSL remote access VPN is on the firewall which behind the router. 

How can i make remote access user connect to the firewall via public IP since the only way to connect is to the router first.

 

Richard Burts Tue, 04/01/2014 - 13:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

That is a challenge. Perhaps you might do port forwarding on the router so that SSL was translated and forwarded to the ASA address.

 

HTH

 

Rick

johnlloyd_13 Fri, 03/21/2014 - 19:32
User Badges:
  • Blue, 1500 points or more
Hi, What's your ISP hand off? Cisco ASA firewall normally has Ethernet ports. Cisco router can also support IOS based SSL VPN. But you'll need a higher platform for this feature and to offlload on router memory and CPU. I would advise to use the ASA firewall to act as the VPN termination point because of the flexible and innate (security level) security function and router to do only WAN/routing functions.

Actions

This Discussion