Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question: VPN pros and cons

As I understand it, VPNs can be setup as follows:

- same device: router-to-router or firewall-to-firewall

- different device: router-to-firewall or firewall-to-router


Some say that for trusted networks, e.g. branch offices firewall-to-firewall VPNs are better.

And for untrusted networks router-to-router VPNs are better.


My question is what the pros and cons are for same device VPNs, e.g. router-to-router and firewall-to-firewall.


From a security point of view, which would be better for a trusted and untrusted network?



Everyone's tags (4)
Super Bronze

Hi, I am not sure I follow



I am not sure I follow you with the trusted/untrusted terms? What exactly do you mean with them in this case?


With Cisco devices I'd say the first thing that comes to mind as pro for same type of devices is that they have/support the same capabilities. Cisco routers support many more ways to configure VPN connections. They are better in the situation where you have several sites as you can run secure VPN connections and routing between the sites. From a service provider perspective the routers also provide better options on virtualizing/separating the different customers connections on the same device. Cisco ASA does not provide as much options of doing the same as the Routers.


I don't really have that much expirience with configuring large VPN setups with Cisco routers to really tell much about them. We mostly use Cisco ASA so have not gotten too much exposure to the router side of doing things.


I personally prefer doing VPNs on the Cisco ASA as it provides a better view of the actual VPN situation and more troubleshooting tools. If I had control on what devices to use and more time on my hands I would surely use routers a lot more.


- Jouni

New Member

Hi, thanks for the reply.

Hi, thanks for the reply.


With trusted I mean branch offices since they are part of the corporate network.

Untrusted everything else; maybe this example does not make any sense but you can compare an untrusted network with a branch office from another company, but I hope you understand.


So if I am correct, your preference is ASA based on the the GUI for troubleshooting?

I have read an article that Cisco also has a GUI tool for setting up/troubleshooting VPN on routers, only I forgot what the GUI tool is called.


Super Bronze

Hi, I am not sure if the



I am not sure if the trusted/untrusted scenarions really play into which type of device you choose for the VPN (atleast for me so far). I'd say that usually the device type is dictated by the requirements of the environment. (Are there multiple sites? Do you require dynamic routing between sites? What features need to be supported on the devices?)


I have worked with an ISP since I graduated and that has for the most part meant that I don't get to set up new VPN environment that often. This is because there is usually only the specific platforms (already existing and in use) that host all the customer VPN services and new devices are not needed for a new customer. So this in itself limits my changes to get to setup separate large VPN environments. This is also due to the fact that we use the ISP network and other ISPs to connect the different customer locations through MPLS network so an actual VPN solution is not always required.


My personal preference to building VPN connections is Cisco ASA but this is again mostly due to the fact that I used PIX firewall at the end of my studies and started working with Cisco PIX/ASA/FWSM when I started working. Also as its an actual firewall device I find that it gives me a lot more information and ways to troubleshoot a situation. I am not necesarily referring to the GUI. I don't really use it for configuration tasks at all but might use it to check firewall logs when I quickly need to check some problem. Then again the Cisco Routers can also be gotten with softwares/licenses which enable statefull firewall capabilities with them but that again is a subject that is not really familiar to me but something I should really learn. :)


I really regret that I have not gotten to use Cisco Routers more as I am sure that they offer a lot more possibilities to handle VPNs and routing related setups than the Cisco firewalls. I simply have not had the change to get to know them that much as my employer has used ASA firewalls more. Also the fact that I lack expirience with the Cisco Routers for VPN purposes also is a cause why I find them less straight forward to configure than the Cisco ASA.


If I had to start building a completely separate network for a company with multiple remote sites (which I really have not had to do or have not had the chance to do before) I would have to say that I would probably use Cisco Routers rather than Cisco firewalls. Then again I might use Cisco Routers to handle the connectivity between the sites but still use Cisco firewalls for actual firewalling purposes if possible.


With regards to the GUIs on the Cisco Routers I think it used to be called SDM though with a quick look I am not sure if that is used any more. I am not sure if the Cisco Configuration Professional is the name of the new GUI for Cisco Routers. I am not even actually sure what platforms support it.


Here are a couple of links related to that


- Jouni

CreatePlease to create content