Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Router-to-Router VPN Security

Hi there,

Should we worry about the the security on router-to-router VPN over internet (IPSec) ?

We have two offices.

Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.

Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.

Office B has private subnets that extend to 7 hops away. (running RIP)

If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?

If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?

How do we defend our routers then?

Thanks in advance!

-Andrew

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Router-to-Router VPN Security

If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well.  That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

This is a very common deployment method.

4 REPLIES
Bronze

Router-to-Router VPN Security

Hi,

when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.

The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.

Rgds, MiKa

New Member

Router-to-Router VPN Security

Thank you for the advice, Mika!

Cisco Employee

Router-to-Router VPN Security

If you are really worried about your routers, you can run L2L IPSec between your ASA's and then a GRE tunnel from router to route to achieve this solution as well.  That way you can run dynamic RP between the sites and leave the FW running security and filtering, example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

This is a very common deployment method.

New Member

Router-to-Router VPN Security

Good point, Nicholas!

Why didn't I think of that?  : )

Thanks!

219
Views
0
Helpful
4
Replies
CreatePlease to create content