Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN architecture and config question

Hello cisco experts,

I need some help on changing my current configuration to add a Cisco 2821 for a site to site vpn architecture. I'll attempt to explain this as well as I can.

My current setup is a core 6509e that I have all my access layer devices and servers connected to. The default ip route specifies the next hop as our Nokia/Checkpoint firewall. All traffic goes through the firewall and either returns to the core for internal routing/switching and the external traffic goes to the internet link, which is an ISP we use. We do not have a public IP due to the dictation that we use this ISP without any choices.

So, traffic goes from our core 6509e to a Nokia/Checkpoint and then to our ISP as the default gateway. The Nokia's are currently performing the VPN portion for traffic going to a sister site.

We are going to be swapping out the Nokia's for Juniper firewalls and I need to figure out how to implement the Cisco 2821's to handle the VPN traffic. I was thinking of making a route statement to send all traffic destined for the sister site IP to the Cisco 2821 to perform the IPSEC VPN and then send it back through the core.

ANY suggestions are welcome.

Everyone's tags (2)

Re: VPN architecture and config question


You need to make sure that the functionalities carried out by your Nokia/Juniper firewalls are being taken care if you remove them out of the network.

You need identify the features being offered by these devices before you remove them off from the network. If you are not really sure about that better check out for the configs and docs for the same.

You can make use of the router to act as a IPSEC VPN tunnel endpoint for your remote locations so that the transaction between your location and the remote will be safe/secure.

Once the decrypt of the remote end data is done a the router end the packets can be routed internally to your internal network.

Also before replacing the devices you need to work out the required ports / capacity before placing the po.


New Member

Re: VPN architecture and config question

The Juniper firewalls will replace the Nokia's after I get the site to site VPN up and running. Since the Nokia's currently run the VPN portion as part of their capabilities, I need to change the VPN to the Cisco 2821's I have. We will not be configuring the vpn endpoins as part of our new Juniper firewall installation.

So my question is what is the best way to do this with my current topology.

I can get the configurations correct as I have configured vpn endpoints before, but I am unsure as to how to change my topology to have the 2821's as my endpoints. Do I make a trunk from the core 6509e to the 2821 and then run it back through the core on another trunk? Do I use two ports on the core and change them from switchport to layer III and put ip's on them to go to my 2821's? I know there's a few ways to do this but I keep getting stuck on which way to go.

I am open to any suggestions.

CreatePlease to create content