We are in the middle of planning a DR site for our Hq office. One of the requirements is to be able to allow Internet based users who are accessing our DR site web server, access to our HQ network via a publicly routable IP.
Over 90% of the traffic from our DR site web server is to/from the Internet and back to the user. However, the other 10% from the DR site web server is authentication traffic to our HQ dbase server. Once the users are logged-in most of the remaining traffic is between the user and the DR site web server only. My questions is; would it be best to setup ipsec between the DR site ASA and the HQ site ASA just for the authentication, or would it be better to do GRE?
Would it be best just to use IPSEC? I'm a little new to the ASA but have worked on PIX 515s before (a couple oy years ago so I'm not a major practitioner).
The main challenge seems to be to allow Internet based users to authenticate from their insecure host(s) on the Internet, to our secure dbase server at HQ. Once they're authenticated most of the remaining traffic will come from the web server at our DR site whihc is closer to them so tunneling to our HQ will not be needed after that. How much bandwidth will IPSEC use per user? The DR site has a 10MB pipe and our HQ site has a 20MB pipe.
The overhead introduced by IPSEC depends on the tunneling mechanism you will use. But it seems you have a lot of bandwidth and that should not be a major issue. If you will use the ASA/PIX to terminate your tunnel, then your only option is IPSEC direct encapsulation. GRE is not supported on the ASA/PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :