Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN design for branch office

Hi,

I'm looking for some feedback regarding any issues with the following design.

We currently have a HQ site with a 100Mbps internet connection which terminates on an outside L2 switch. A Cisco ASA 5520 is then connected to the L2 switch and configured with a public IP addess. The Cisco ASA firewall is configured with NAT and is handling all internet traffic from HQ

I need to add a branch site via a VPN but we need the ability to use multicasting over the VPN and also to use the HQ site for all internet traffic, so the branch will use a default route towards the HQ and then traffic hairpins back out to the internet.

I was thinking of installing a Cisco 2900 series router in parellel to the Cisco ASA with one interface connected to the outside switch and internal interface connected to the HQ switch, then configuring GRE over IPsec and then advertising out the default using EIGRP. Physical design similar to the attached.

Does anyone see any issues with this configuration? Would it be better to connect the 2900 LAN to a DMZ interface on the ASA for security?

Thank you

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: VPN design for branch office

That's a design I use quite often (for customers with "normal" security-needs) which works very good. As an inside-switch I always use a Layer3-switch with two transfer-networks, one to the router(s), one to the ASA(s). With that you have full control over the routing on the L3-Switch.

As a variation for customers who want to filter the branch-traffic also on the ASA I connect the internal interface of the router to a DMZ-interface on the ASA. Then there is only one device (the ASA) for policy-enforcement instead of two (ASA and router). In the old days of the VPN-concentrator I also had the public interface of the VPN-gateway on a DMZ to protect the VPN-gateway from the internet, but that complicates the routing very much.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
VIP Purple

Re: VPN design for branch office

That's a design I use quite often (for customers with "normal" security-needs) which works very good. As an inside-switch I always use a Layer3-switch with two transfer-networks, one to the router(s), one to the ASA(s). With that you have full control over the routing on the L3-Switch.

As a variation for customers who want to filter the branch-traffic also on the ASA I connect the internal interface of the router to a DMZ-interface on the ASA. Then there is only one device (the ASA) for policy-enforcement instead of two (ASA and router). In the old days of the VPN-concentrator I also had the public interface of the VPN-gateway on a DMZ to protect the VPN-gateway from the internet, but that complicates the routing very much.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: VPN design for branch office

Thanks karsten,

Is there any benefit/disadvantage of placing the VPN router behind the ASA on a private IP address and then using NAT on the ASA to forward the VPN traffic to the router? I'm just thinking that its one public facing device to worry about.

VIP Purple

Re: VPN design for branch office

That of course can be done but again complicates the the routing. As mentioned, years ago I configured it that way with the VPN3000 as I never trusted the ACLs of this device. Another scenario is when there is no public IP available for the router on the outer subnet of the ASA. Then it could be needed to place the router behind the ASA.

But again: with a VPN router that only allows IPsec from the internet, it's very likely that this device will not become the wwakest link in your security-chain and that design should be good to use.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: VPN design for branch office

Thanks for your help, thats very useful.

158
Views
0
Helpful
4
Replies