Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site To Site VPN Options

Hello all,

Just a question in regards to site to site VPN's. I currently am currently trying to design a temporary network solution for the company that I work at.

We are trying to provide connectivity to a temporary site that is around 200 miles away from our current HQ.

Both sites have connections to the public internet, so I was thinking that we could use a site to site VPN using Cisco ASA's. The current connection at the remote location is a T1.

I'm wondering what kind of performance I would have implementing a site to site VPN using Cisco ASA's. There could potentially be around 50-75 users.

I'm not very experienced with VPN's in general (other than Juniper SSL)... I'm more of a R&S guy. So, if there's a better solution out there, I'm all for hearing about it.

Thanks for any help / information in advance!

Jonathan Kloza -

3 REPLIES
New Member

Re: Site To Site VPN Options

Hi Jonathan,

the performance you would have in the sense on bandwidth would depend on the internet connections at the remote site and the "HQ". The slowest internet connection (Upload or Download) would be your bottleneck. The T1 should give you about 1.5Mbps.

If that would be enough for your 50-75 users would depend on the type of application they use. You should take the bandwidth required by the application for one user and multiply it by the amount of users you have. Then you check whether your slowest connection supports these requirements. Take note that VPN connections also have some overhead.

If these internet connections are also used for surfing the web, guaranteeing bandwidth becomes more difficult. In that case some sort of QoS would be needed.

Delay and jitter could be an issue, again depending on the applications you are using. Our VPN connections here between locations in Germany usually have about 40-100ms delay, which is good in most cases (even for VoIP).

If you are concerned about VPN throughput of the ASA itself...the 5505 has a 100Mbps throughput, which would most likely be more than you need considering you have a T1 at one end.

And finally make sure you have enough user licenses on your ASAs.

hth

Ingo

New Member

Re: Site To Site VPN Options

Thank you very much for the reply. There won't be any delay sensitive applications, mostly web / exchange chatter...

You mentioned licenses on my ASA's, I was under the impressions that the site to site IPSec VPN was a "persistent" connection, do I still need user liceses on my ASA...

I've found some SRND's / design overviews that have been helpful, specifically the IPsec VPN WAN design overview, which uses Cisco IOS to create the connection between two "VPN" routers, 18XX / 28XX / 38XX. Is it possible to use a 37XX router? Are there specific modules that I would need?

Thanks again for your help!

Jon

New Member

Re: Site To Site VPN Options

Hi Jon,

yes unforunately connections made through the VPN do use up user licenses. The mechanism is explained here in short:

http://6200networks.com/2009/01/27/asa-5505-question/

Of course you can also use a Router to establish a VPN between 2 sites. I haven't done this alot, so I can't give you explicit advice.

To my knowlege you can configure a a VPN on most Cisco Routers or Layer 3 Switches (e.g. with a routed port) with the appropriate IOS and feature set. The newer IOS also have an integrated Zone-Based Firewall, which you can configure, making them even more flexible and secure than the old CBAC Firewall.

Info on the Zone-based Firewall:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

One thing that you should consider is using fixed IP's for your VPN connections. At least one side has to have a fixed IP for an ASA-ASA vpn tunnel to work reliably.

576
Views
5
Helpful
3
Replies