Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Suitable VPN option?

Hi,

I am planning to deploy a VPN connection between the Head Office, couple of branch offices and Remote Access VPN.

Some of the office has Router as internet facing and others have Firewall as internet facing.

I am plannng, if all the VPN connections are terminated in one place, it would be east. I have configured several options. I thought of DMVPN initially. I guess i cant implement DMVPN on firewall and remote access VPN. Am i right..?

Then i thought about GRE/IPSec VPN. So that i could you dynamic routing protocols for routing. But again, i assume ASA / PIX will have some issues with GRE.

Could any one please suggest any suitable options for me. The main requirements are, I have routers as well as firewalls at front end. And i want to use dynamic routing protocols for routing.

Cheers

6 REPLIES

Re: Suitable VPN option?

Hi,

To use an IGP, plain IPsec is not going to work.

To be able to have a DMVPN network or IPsec/GRE you need routers (ASA will not work).

So, there's no problem with the routers, but with the ASA's, from ASA's 7.x code you can run OSPF via IPsec.

Take a look:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Federico.

New Member

Re: Suitable VPN option?

Hi, I have heard about this. But me question is, if i do IPSec with OSPF, it will be between two ASA/PIX. Isnt it..?

How about the connection between the router & firewall?

Please keep in mind that i want all the VPN connection to be interconnected (Hub & Spoke), so that the traffic can pass through between all the locations.

The ideal VPN connection will look like this.

Cheers

Re: Suitable VPN option?

The OSFP configuration through IPsec between ASAs is because the actual OSPF is unicast through the tunnel.

The only way I see this working between a router and an ASA is if the router is configured for point-to-point non-broadcast (have not tried it).

The problem that I see is that for VPNs, the ASA only supports plain IPsec or SSL.

Only the routers supports regular dynamic routing protocols via means of DMVPN, GRE/IPsec, GETVPN, VTIs, etc

The ideal scenario that you're looking for will work perfectly with just routers, or using the Firewalls, but trying the OSPF configuration.

Federico.

New Member

Re: Suitable VPN option?

Is this is a weired scenario i only have..? I was thinking, this is more general design in any big companies?

How about using just static routes, than the routing protocols..? Since I have only few remotes, can i use normal IPSec VPN with static routes to connect to all sites from any spoke in a hub and spoke model..?

Re: Suitable VPN option?

You can use static routes to the ASAs and that will work fine.

If there are only a few ASAs, you can still run an IGP between the routers.

The restrictions of the ASA is basically this:

They don't support a routing protocol thorugh the IPsec tunnel, because they only run plain IPsec.

Federico.

New Member

Re: Suitable VPN option?

I will try the static route option in next couple of days and update here.

250
Views
0
Helpful
6
Replies