Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
3
Replies

For Site-to-site IPSec VPN what is better option IOS (IOS-XE) router or ASA?

amp512_nyph
Level 1
Level 1

‎01-12-2016 09:15 PM - edited ‎02-21-2020 08:37 PM

We are building a new VPN infrastructure for site-to-site IPSec VPN for about 200 vendor connections with IPSec throughput of about 300Mbps. We also need high availability so whatever we choose - routers or ASAs, would have to be setup with active/standby failover and all our vendors will receive a single IP address (via HSRP or ASA failover setup) for peering. What is a better option to satisfy these needs a pair of Cisco IOS-XE routers (4000 Series ISR - 4431) or a pair Cisco ASAs (5555-x)?

 

What are pros and cons of using routers versus ASAs for VPN termination?

Thanks.

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-12-2016 11:49 PM

Hands down take the ISR 4431.  ASA is good for simple site to site VPNs.  ASA is excellent for user to site.  I often deploy routers for site to site VPNs, and an ASA beside it for user to site VPNs to get the best of both worlds.

Things you can only do on a router:

* VRFs (can be great when you have customers with overlapping address spaces)

* "Proper" PBR

* Sophisticated routing

* GRE over IPSec

* iWAN / FlexVPN / VTI's

* Complex NAT without tying yourself in knots.

* Dynamically assigned IP addresses for remote VTIs for low touch mass VPN configuration.

* You can do simultaneously active/standby for those you can only do simple VPNs via hsrp, and at the same time active/active for those who can support it.

Note on the routers you need both an HSEC licence and the performance licence to get increased crypto throughput.  And do yourself a favour, and get the AppX licence as well.

0 Helpful

amp512_nyph
Level 1
Level 1
In response to Philip D'Ath

‎01-14-2016 03:04 PM

Philip,

Your comment on complex NATs can you give me an example? I always though firewalls in general so ASA included do a better job at NATs than routers.

Thanks.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to amp512_nyph

‎01-14-2016 04:59 PM

Complex NAT example: You have two customers with overlapping addresses spaces, so you please them into separate VRFs, and NAT them them back into your global VRF.

On an ASA you pretty much can't have multiple connections using the same address space.

On a router you can use route-maps to control NAT.  Route-maps are incredibly flexible and powerful, and if I thought long enough about it could probably come up with other unique things you can do on an ASA.

Really modern ASA's software have route-maps, but only for routing and PBR.

0 Helpful
Customers Also Viewed These Support Documents