Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VPN termination point

Hi,

 

Which one is a better design? 

To terminate VPN connection at Router level or Firewall level.

For a case of:  SW----FW---Router?

Based on many review it seems terminating VPN at router level is much more troublesome to configure as compared to terminate at router level.

 

Appreciate any feedback. Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

For SSL remote access VPN I

For SSL remote access VPN I would suggest terminating it on the firewall. If your outside connection is some connection type that the firewall does not support then it makes sense to have the router on the outside.

 

HTH

 

Rick

6 REPLIES
Hall of Fame Super Gold

It is not clear to me in your

It is not clear to me in your post where the inside network is and where the outside/Internet is. I am guessing that the switch is the inside and the outside is connected at router. Is that correct? I wonder about changing the topology so that the firewall is the connection to outside and the router is inside of the firewall.

 

It is also not clear whether you are talking about remote access VPN or site to site VPN. For remote access VPN I would advise terminating it on the firewall. For site to site VPN I would advise terminating it on the router.

 

HTH

 

Rick

New Member

Hi rick,

Hi rick, Yes i am talking about ssl vpn actually. I am just thinking of scenario of vpn whereby there is one wan IP. So i am not sure which is easier to build. Setup router which facing the internet for vpn or firewall behind router for vpn access. Lets say router is in front because the fw does not support certain internet wan port.
Hall of Fame Super Gold

For SSL remote access VPN I

For SSL remote access VPN I would suggest terminating it on the firewall. If your outside connection is some connection type that the firewall does not support then it makes sense to have the router on the outside.

 

HTH

 

Rick

New Member

Hi guys,Ty for the replies

Hi guys,

Ty for the replies.

Currenty the router which internet facing only has one WAN IP address but the SSL remote access VPN is on the firewall which behind the router. 

How can i make remote access user connect to the firewall via public IP since the only way to connect is to the router first.

 

Hall of Fame Super Gold

That is a challenge. Perhaps

That is a challenge. Perhaps you might do port forwarding on the router so that SSL was translated and forwarded to the ASA address.

 

HTH

 

Rick

Hi,

Hi, What's your ISP hand off? Cisco ASA firewall normally has Ethernet ports. Cisco router can also support IOS based SSL VPN. But you'll need a higher platform for this feature and to offlload on router memory and CPU. I would advise to use the ASA firewall to act as the VPN termination point because of the flexible and innate (security level) security function and router to do only WAN/routing functions.
1974
Views
5
Helpful
6
Replies
CreatePlease to create content