I am currently doing some research on a setup for a datacenter. I am attaching what I have in mind for clarity. Basically we will have two ISPs using fiber connectivity and we will use BGP on the ISR to perform dynamic routing between the two ISP connections.
The firewall (ASA) will be terminating multiple IPSec site-to-site VPN tunnels going to multiple clients who will probably have either an ISR router or a small ASA firewall. Till now I think it makes sense.
The issue is that I would like to terminate the VPN tunnels from the various clients to different vlans which will then go over a trunk to the inside interface of the ASA. I was reading about VRF-Lite and it seems that it is the feature that should be used in such cases, however I found out that the ASA does not support VRF-Lite.
What are you suggestions on this aspect? Should I trash the ASA idea and terminate the VPNs on the ISR router, using a VRF routing table per client and mapping it to a VLAN? I wanted to use the ASA for VPNs as it is faster than the ISR and is able to support more tunnels at higher throughput.
Is there a better way of implementing this setup perhaps using other devices such as the ASR?
Having work with Cisco IOS, ASA and Checkpoint firewall as VPN termination endpoint, I can tell you that for your design, I would definitely go with Cisco IOS, either with ASR 1002 or VXR-7201. You definitely do not want to use ASA for VPN termination end-point:
- ASA does not support GRE/IPSec. I am sure some where along the way, you will have requirements for GRE/IPSec. ASA just can not do that,
- GetVPN and DMVPN. ASA, to my knowledge, does not support,
- NAT inside the VPN tunnel and one-arm routing with VPN. Configuration on Cisco IOS much easier on IOS than on ASA appliances,
- Support for multicasting along with VPN. This is much easier on Cisco IOS than on ASA appliances,
If you have any of these above requirements, either VXR7201 (depending on the throughput) or ASR1002 will give you performances just as good as ASA with much more flexibilities.
The strengh of the ASA is firewall "stateful inspection". If your goal is to use the ASA just for VPN termination, router is much better option.
- IPSec VPN Termination to remote clients who will be using IOS routers or ASAs
Yes, with redundancy ISP. You will use a loopback interface on your router for VPN termination. Just remember to have this loopback IP address be available on the Internet so that your remote IOS routers or ASAs can reach it. Don't forget to use "crypto map local-address lo0" or something like that.
- VRF per client (as I do want to safely separate traffic and overlapping IPs might also be an issue)
I've never used VRF per client. However, you're making the problem harder that it sems. Just place the internal interface of the VPN behind a firewall so that you can inspect the traffics once it gets decrypted. A much cleaner solution,
- Each VRF terminates in a VLAN which can be trunked with other VLANs to the internal switches
Again, use the firewall to inspect the traffic after decryption, a much cleaner solution
I am glad that it seems the ASR should be fit for the job. I have one last question I would like to ask. If I will not use VRF and use the firewall solution that you are suggesting, can I use the firewalling feature in the ASR itself or do I need a separate firewall appliance (say an ASA) for this job?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :