I have been tasked with the implementation of a firewall and remote-access VPN solution.
We have procured a pair of ASA5520 firewalls with AIP-20 IPS modules. We also have procurred a 2811 router, with VPN module.
Which would be a better solution? To setup the remote access VPN's on the ASA firewalls, or on the 2811 router? I plan to place the router between the firewalls and the ISP.
It is my understanding, that you lose some functionality of the ASA devices when/if you configure them for VPN termination... I also want to utilize the IPS modules to monitor as much traffic as possible.
The biggest advantage of terminating vpn's on an ios router over a pix/asa is the QoS capabilities in IOS are far superior than pix/asa. If this is not an issue, I would recommend the asa. You should be able to monitor decrypted traffic using the IPS modules on the asa device, maybe someone else can verify this?
As srue said the QoS capabilities are better with IOS, however please take into consideration that the encrypted packets still have to go over the internet where you have no control of QoS. With the 7.x code and there are certain QoS features like LLQ and policing, usually they are enough for most applications.
In regards to using the AIP module, if you use the ASA as the termination point you will be able to send traffic to the module just fine. If you use the IOS then the AIP module won't be able to look at the vpn tunnel (as it will be encrypted).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :